An appendix below shows amendments to the application. 

Applicants thank the Examiner for his careful attention to detail in noticing several minor 
errors in the application. 

Drawing margin correction. A formal drawing having the correct margins is submitted 
for the sheet with FIGS. 12 and 13. 

Drawing reference number change. FIG. 1 1 is changed such that chipset 226 is changed 
to chipset 227. FIG. 15 is changed such that for coefficient selection 236 is changed to 264 and 
for strength parameter 238 is changed to 266. 

Drawings showing the changes in red ink as well as corrected formal drawings are 
provided for the Examiner's approval. 

Objections to Drawings. The following are responses to the objects to the figures. 

A) (1) In FIG. 1 1, the disc is shown as disc 230 and in the paragraph at page 15, line 19, 
to page 16, line 2, disc 226 is changed to disc 230. 

A) (2) The chipset 226 in FIG. 1 1 is changed to "227." The paragraph at page 15, line 
19, to page 16, line 2 is amended accordingly. 

A) (3) In FIG. 15, coefficient selection 236 is changed to "264" and strength parameter 
238 is changed to "266." The paragraph at page 20, lines 14-18, is amended accordingly. 

Objections to the disclosure. The following are responses to the objects to the disclosure. 

A) (1) (a) The paragraph at page 7, lines 6-15 is amended to include reference to 
watermark 100. 

A) (1) (b) The paragraph at page 15, lines 19 to page 16, line 2 is amended to include 
reference to disc 230. 

A) (1) (c) The paragraph at page 21, lines 12-21, is amended to include a reference to 
mechanism 316. 

A) (1) (d) The paragraph at page 21, lines 22-28, is amended to include a reference to 
mechanisms 328 and 336. 

B) (1) the paragraph at page 8, lines 12-17, is amended to replace mechanism 102 with 
mechanism 120. 

B) (2) the paragraph at page 15, line 19, to page 16, line 2, is amended to replace memory 
222 with memory 224. 
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B) (3) the paragraph at page 15, line 19, to page 16, line 2, is amended to replace disc 228 
with disc 230. 

35 U.S.C. § 112, 12. Claim 10 stands rejected under 35 U.S.C. § 112, <[2, as being 
indefinite. Claim 10 is amended to depend from claim 9. 

35 U.S.C. § 102(b): Thomas et al. Claims 1, 9, 11, 12, 19, 24, 25, 26, and 28 stand 
rejected under 35 U.S.C. § 102(b) as being anticipated by Thomas et al (5,425,100). 

It is believed that the present invention and Thomas et al. are significantly different. The 
present invention concern protecting content. For example, claim 1 recites: 

Claim 1 recites: 

"selecting a set of segments of content from a group of segments to be protected ; 
protecting the segments of the set with protection that can be undone; and 
transmitting the group of segments." (Emphasis added.) 

Claims 9, 11, 12, 19, 24, 25, 26, and 28 also include reference to protected segments. 

A context into which the present invention may reside is explained in the application on 
page 5, lines 6-12: 

"The invention concerns partially protecting content to be provided to remote computers, 
only some of which will have the ability and permission to undo the partial protection and 
produce the entire content remotely. There are a variety of reasons to partial protect content and 
allow restricted undoing of the protection. For example, under one use, the invention includes 
placing vacation videos on the World Wide Web, but protecting some segments, such as those 
showing children. Then, certain family members or friends can see all segments, while other 
members of the public can see only the undo protection of segments." 

By contrast, Thomas et al. is concerned with a way "to measure television (TV) ratings." 
(Col. 1, line 18.) To accomplish this purpose, the invention relates "to a method and apparatus 
for monitoring broadcast signals, and more particularly to a universal broadcast code, methods 
and apparatus for encoding and monitoring a signal." (Col. 1, lines 1 1-14.) "In brief, the objects 
and advantages of the present invention are achieved by a multi-level encoded signal monitoring 
system and a universal broadcast code (UBC). A plurality of encoders are provided for encoding 
a predetermined program source signal. The program source signal has a plurality of sequential 
segments. Each encoder is arranged for selectively encoding information on unique specified 
segments." (Col. 1, line 63 to col. 2, line 2.) 

There is nothing in Thomas et al. that suggests that encoding provides protection, to the 
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group of segments. Indeed, many types of encoding provide no protection because decoding is 
readily understood. For example, MPEG provides encoding, but does not provide protection 
because decoding of MPEG signals is readily known. 

In the absence of any teaching of Thomas et al. that the segments are protected, it is 
believed that the rejections should be withdrawn. 

35 U.S.C. § 103(a): Thomas et al. Claims 2-8, 10, 13-18, 20-23, 27, and 29 stand 
rejected under 35 U.S.C. § 103(a) as being unpatentable over Thomas et al (5,425,100) as applied 
to claims 1, 9, 11, 12, 19, 24, 25, 26, and 28 above and further in view of obvious variations. 

Claims 2-8, 10, 13-18, 20-23, 27, and 29 are each dependent on one of the claims rejected 
under section 102(b) above. Accordingly, these claims also include reference to protected 
segments. Because Thomas et al. is significantly different than the present invention, it is 
believed that the rejections should be withdrawn. 

Standards. The Office action (p. 8) states 'To complete the record, applicant must supply 
the standards mentioned at: (a) page 14, line 16-23, 'The invention is not ... than MPEG may be 
used."; and (b) page 19, lines 15-27, "The key may be used in ... of coefficients for sign 
inversion." Although the necessity of this requirement is traversed, copies of information about 
Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) are attached to this amendment . 
Applicants are willing to provide copies of the MPEG standards, however, the undersigned 
attorney understands that would include several hundred pages. In light of the length of the 
MPEG standards and how they are readily available in books and on the internet, it seemed to be 
not useful for applicants to mail a copy of this to the Patent and Trademark Office. 

The copy of the information about Secure Hash Algorithm (SHA), "Secure Hash 
Standard" (1995 April 17), 17 pages, provided with this amendment was obtained from NIST 
federal standard FIPS 180-1 at http://www.itl.nist. gov/fipspubs/fip 1 80- 1 .htm . 

The copy of the information about Message Digest 5 (MD5), "The Message-Digest 
Algorithm" (April 1992), 17 pages, provided with this amendment was obtained from RFC 1321 
at http://www.faqs.org/rfcs/rfcl32Lhtml . 

Conclusion. 

It is believed that the rejections should be withdrawn. Note that merely because 
applicants do not specifically argue that certain limitations of a claim are not in the references is 



App. No. 09/275,514 



9 



not a concession that a reference or combination of references includes the limitations. That 
applicants do not contradict a particular statement made in the Office action is not a concession 
that applicant agrees with it. Further, merely because applicants do not separately argue the 
patentability of every dependent claim is not a concession that there are not additional reasons for 
patentability of these dependent claims. 

Applicant believes the application is in condition for allowance and respectfully requests 



Blakely, Sokoloff, Taylor & Zafman 
12400 Wilshire Boulevard, Seventh Floor 
Los Angeles, California 90025-1026 
Phone: (503) 264-7125 
Phone: (503)684-6200 
Phone (310) 207-3800 
Facsimile: (503) 684-3245 

Amendments to the application are shown in an Appendix beginning on the following page. 



the same. 



Respectfully submitted, 



Dated: March 1,2002 




Alan K. Aldous 



Reg. No. 31,905 
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APPENDIX: 

Please amend the application as follows. 
VERSION WITH MARKINGS TO SHOW AMENDMENTS 

Amend the paragraph at page 7, lines 6-15, as follows: 

A window 80 includes a display 84 for displaying one of the segments, which may be 
selected, paused or stopped through icons 90 or other means. A scroll bar 82 may be used to 
advance through frames of the segment selected for viewing in display 84. The various icons 
described herein can be activated through a mouse. Activation of a browse icon 92 may cause 
segment in display 66 to also appear in display 84. Bit encryption and visual scrambling 
selection boxes 94 and 96 can be checked with a click of a mouse to select bit encryption and/or 
visual scrambling features described below. In some embodiments, when either of these boxes is 
checked, the corresponding display in window 64 is enclosed in a rectangle or otherwise 
designated as being protected. The protection occurs in response to encode icon 98 being 
activated with a click of a mouse. For example, display 68 and 74 are enclosed in a rectangle 
indicating that segments 2 and 5 (which include images 12 and 15) will be protected if encode 
icon 98 is activated. Activation of a watermark icon 100 causes information such as is described 
below to be contained in a watermark. 

Amend the paragraph at page 8, lines 12-17, as follows: 

FIG. 4 illustrates a content providing system 1 14 which is similar to content providing 
system 14 but illustrates some additional capabilities, which could be included in content 
providing system 14. A segment creation mechanism 120 represents a user interface and 
associated software to select segments of the group of segments (e.g., to designate the beginning 
and ending frames or time of the segment). Mechanism [102] 120 may be used for joining 
disjointed segments in a group and/or dividing continuous content into segments of a group. 

Amend the paragraph at page 15, line 19, to page 16, line 2, as follows: 
FIG. 1 1 illustrates a computer 220 (which may be an example of system 14) including a 
processor 222, on-die memory 224, chipset I/O [226] 227, and off-die memory 228. Memory 
[222] 224, memory 228, and a disc [228] 230 include machine readable media to hold 

App. No. 09/275,514 11 



instructions to be executed and other data. The various block diagram and flow chart blocks in 
the other figures called mechanisms may represent processor 222 performing functions on 
software or may represent hardware other than processor 222 performing the functions described 
in connection with the block diagram or flowchart mechanisms. A link 234 joins computer 220 
to a remote computer 236 (which may be an example of remote receiving computer 20). 
Computer 236 may be the same as of different than computer 220. A display 238 may be 
packaged with or separate from computer 236. Link 234 represents any of various links 
including the Internet, an intranet, a local area network, satellite, or other networks. The term 
computer is intended to be broadly interpreted to include a variety of systems and devices 
including personal computers, mainframe computers, set top boxes, digital versatile disc (DVD) 
players, and the like. 

Amend the paragraph at page 20, lines 14-18, as follows: 

The invention may be used with respect to signals not previously compressed. FIG. 15 
illustrates an encode mechanism 270 in which uncompressed (raw) video is first transformed 
with a DCT mechanism 272 (which may be the same as encoder 200 in FIG. 9). Scrambling 
mechanism 244 alters the coefficients as described above. An inverse DCT mechanism 276 
returns the scrambled video to the uncompressed (raw) video format. Selected coefficients are 
provided by coefficient selection mechanism 264 responsive to a key and strength parameter 266. 

Amend the paragraph at page 21, lines 12-21, as follows: 

As an example, FIG. 17 illustrates a scrambling encode mechanism 300 (which may be in 
computer 220 in FIG. 1 1) in which video blocks (which may be in MPEG format) are received 
by in buffer 302. In some embodiments, as a block is received, it is identified with a number m 
or placed in position m of the buffer. The number m is incremented by increment mechanism 
308 with each received block until m = N (compare mechanism 306), where N is the number of 
blocks available for permutation. For example, if a set of four blocks may be permuted, N is 3 
(assuming m starts at 0). When m = N, order selection mechanism 312 selects a block order 
based on a key and sets m to 0 (mechanism 316) . The blocks are read from buffer 302 in the 
permuted block order as specified in the block order from order selection mechanism 312. The 
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block order may be a mapping for each block, wherein or not it is changed or only those that 
change order. 

Amend the paragraph at page 21, lines 22-28, as follows: 

FIG. 18 illustrates a descrambling decode mechanism 320 (which may be in computer 
236 in FIG. 1 1) which receives the blocks in permuted order in buffer 322 from buffer 302 in 
FIG. 17. When the buffer is full (comparison mechanism 326), order selection mechanism 332 
selects the block order responsive to a key and buffer 322. Responsive to the block order, the 
blocks in the original order are read from buffer 322 in the original order. Mechanism 328 
increments m and mechanism 336 sets m = 0. By using the same block order as in FIG. 17, an 
inverse permutation occurs and the blocks are read out in the original order. 

Please amend claim 10 as follows: 

10. (Amended) The method of claim [8] 9, wherein the video signals are in an MPEG 

format. 
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(Ihe Foreword, Abstract,__and„ Key Words 
can be found at the end of this document.) 

Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of 
Standards and Technology after approval by the Secretary of Commerce pursuant to Section 111(d) of the Federal 
Property and Administrative Services Act of 1949, as amended by the Computer Security Act of 1987, Public Law 
100-235. 

Name of Standard: Secure Hash Standard. 
Category of Standard: Computer Security. 

Explanation: This Standard specifies a Secure Hash Algorithm, SHA-1, for computing a condensed 
representation of a message or a data file. When a message of any length < 2 M bits is input, the SHA- 
1 produces a 160-bit output called a message digest. The message digest can then be input to the 
Digital Signature Algorithm (DSA) which generates or verifies the signature for the message. Signing 
the message digest rather than the message often improves the efficiency of the process because the 
message digest is usually much smaller in size than the message. The same hash algorithm must be 
used by the verifier of a digital signature as was used by the creator of the digital signature. 

The SHA-1 is called secure because it is computationally infeasible to find a message which 
corresponds to a given message digest, or to find two different messages which produce the same 
message digest. Any change to a message in transit will, with very high probability, result in a 
different message digest, and the signature will fail to verify. SHA-1 is a technical revision of SHA 
(FIPS 180). A circular left shift operation has been added to the specifications in section 7, line b, 
page 9 of FIPS 180 and its equivalent in section 8, line c, page 10 of FIPS 180. This revision 
improves the security provided by this standard. The SHA-1 is based on principles similar to those 
used by Professor Ronald L. Rivest of MIT when designing the MD4 message digest algorithm ("The 
MD4 Message Digest Algorithm," Advances in Cryptology - CRYPTO '90 Proceedings, Springer- 
Verlag, 1991, pp. 303-311), and is closely modelled after that algorithm. 
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Figure 1: Using the SHA-1 with the DSA 



Approving Authority: Secretary of Commerce. 

Maintenance Agency: U.S. Department of Commerce, National Institute of Standards and 
Technology, Computer Systems Laboratory. 

Applicability: This standard is applicable to all Federal departments and agencies for the protection 
of unclassified information that is not subject to section 2315 of Title 10, United States Code, or 
section 3502(2) of Title 44, United States Code. This standard is required for use with the Digital 
Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS) and whenever a 
secure hash algorithm is required for Federal applica- tions. Private and commercial organizations are 
encouraged to adopt and use this standard. 

Applications: The SHA-1 may be used with the DSA in electronic mail, electronic funds transfer, 
software distribution, data storage, and other applications which require data integrity assurance and 
data origin authentication. The SHA-1 may also be used whenever it is necessary to generate a 
condensed version of a message. 

Implementations: The SHA-1 may be implemented in software, firmware, hardware, or any 
combination thereof. Only implementations of the SHA-1 that are validated by NIST will be 
considered as complying with this standard. Information about the requirements for validating 
implementations of this standard can be obtained from the National Institute of Standards and 
Technology, Computer Systems Laboratory, Attn: SHS Validation, Gaithersburg, MD 20899. 

Export Control: Implementations of this standard are subject to FederalGovernment export controls 
as specified in Title 15, Code of Federal Regulations, Parts 768 through 799. Exporters are advised to 
contact the Department of Commerce, Bureau of Export Administration for more information. 

Patents: Implementations of the SHA-1 in this standard may be covered by U.S. and foreign patents. 
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Implementation Schedule: This standard becomes effective October 2, 1995. 

Specifications: Federal Information Processing Standard (FIPS 180-1) Secure Hash Standard 
(affixed). 

Cross Index: 

a. FIPS PUB 46-2, Data Encryption Standard. 

b. FTPS PUB 73, Guidelines for Security of Computer Applications. 

c. FIPS PUB 140-1, Security Requirements for Cryptographic Modules. 

d. FIPS PUB 186, Digital Signature Standard. 

e. Federal Informations Resources Management Regulations (FIRMR) subpart 201.20.303, 
Standards, and subpart 201.39.1002, Federal Standards. 

Objectives: The objectives of this standard are to: 

a. Specify the secure hash algorithm required for use with the Digital Signature Standard (FIPS 
186) in the generation and verification of digital signatures; 

b. Specify the secure hash algorithm to be used whenever a secure hash algorithm is required 
for Federal applications; and 

c. Encourage the adoption and use of the specified secure hash algorithm by private and 
commercial organizations. 



Qualifications: While it is the intent of this standard to specify a secure hash algorithm, conformance 
to this standard does not assure that a particular implementation is secure. The responsible authority 
in each agency or department shall assure that an overall implementation provides an acceptable level 
of security. This standard will be reviewed every five years in order to assess its adequacy. 

Waiver Procedure: Under certain exceptional circumstances, the heads of Federal departments and 
agencies may approve waivers to Federal Information Processing Standards (FIPS). The head of such 
agency may redelegate such authority only to a senior official designated pursuant to section 3506(b) 
of Title 44, United States Code. Waiver shall be granted only when: 

a. Compliance with a standard would adversely affect the accomplishment of the mission of an 
operator of a Federal computer system; or 

b. Compliance with a standard would cause a major adverse financial impact on the operator 
which is not offset by Government-wide savings. 

Agency heads may act upon a written waiver request containing the information detailed above. 
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Agency heads may also act without a written waiver request when they determine that 
conditions for meeting the standard cannot be met. Agency heads may approve waivers only by 
a written decision which explains the basis on which the agency head made the required 
finding(s). A copy of each decision, with procurement sensitive or classified portions clearly 
identified, shall be sent to: National Institute of Standards and Technology; ATTN: FIPS 
Waiver Decisions, Technology Building, Room B-154, Gaithersburg, MD 20899. 

In addition, notice of each waiver granted and each delegation of authority to approve waivers 
shall be sent promptly to the Committee on Government Operations of the House of 
Representatives and the Committee on Government Affairs of the Senate and shall be 
published promptly in the Federal Register. 

When the determination on a waiver applies to the procurement of equipment and/or services, a 
notice of the waiver determination must be published in the Commerce Business Daily as a part 
of the notice of solicitation for offers of an acquisition or, if the waiver determination is made 
after that notice is published, by amendment to such notice. 

A copy of the waiver, any supporting documents, the document approving the waiver and any 
accompanying documents, with such deletions as the agency is authorized and decides to make 
under 5 United States Code Section 552(b), shall be part of the procurement documentation 
and retained by the agency. 

Where to Obtain Copies of the Standard: Copies of this publication are for sale by the 
National Technical Information Service, U.S. Department of Commerce, Springfield, VA 
22161. When ordering, refer to Federal Information Processing Standards Publication 180-1 
(FIPSPUB 180-1), and identify the title. When microfiche is desired, this should be specified. 
Prices are published by NTIS in current catalogs and other issuances. Payment may be made by 
check, money order, deposit account or charged to a credit card accepted by NTIS. 
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Federal Information 
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Specifications for 

SECURE HASH STANDARD 



1. INTRODUCTION 



The Secure Hash Algorithm (SHA-1) is required for use with the Digital Signature Algorithm 
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(DSA) as specified in the Digital Signature Standard (DSS) and whenever a secure hash 
algorithm is required for federal applica- tions. For a message of length < 2 A 64 bits, the SHA-1 
produces a 160-bit condensed representation of the message called a message digest. The 
message digest is used during generation of a signature for the message. The SHA-1 is also 
used to compute a message digest for the received version of the message during the process of 
verifying the signature. Any change to the message in transit will, with very high probability, 
result in a different message digest, and the signature will fail to verify. 

The SHA-1 is designed to have the following properties: it is computationally infeasible to find 
a message which corresponds to a given message digest, or to find two different messages 
which produce the same message digest. 



The following terminology related to bit strings and integers will be used: 

a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. A hex digit is the 
representation of a 4-bit string. Examples: 7 = 01 1 1, A = 1010. 

b. A word equals a 32-bit string which may be represented as a sequence of 8 hex digits. 
To convert a word to 8 hex digits each 4-bit string is converted to its hex equivalent as 
described in (a) above. Example: 



c. An integer between 0 and 2 32 - 1 inclusive may be represented as a word. The least 
significant four bits of the integer are represented by the right-most hex digit of the word 
representation. Example: the integer 291 = 2 8 +2 5 +2 l +2° = 256+32+2+1 is represented by 
the hex word, 00000123. 

If z is an integer, 0 <= z < 2 M , then z = 2 32 x + y where 0 <= x < 2 32 and 0 <= y < 2 32 . Since 
x and y can be represented as words X and Y, respectively, z can be represented as the 
pair of words (X,Y). 

d. block = 512-bit string. A block (e.g., B) may be represented as a sequence of 16 



2. BIT STRINGS AND INTEGERS 



1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 



words. 



3. OPERATIONS ON WORDS 



The following logical operators will be applied to words: 
a. Bitwise logical word operations 



x 



Y 



= bitwise logical "and" of X and Y. 



X \/ Y 



= bitwise logical " inclusive-or " of X and Y. 



X XOR Y 



- bitwise logica 



1 "exclusive-or" of X and Y. 



= bitwise logical "complement" of X. 
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Example: 

01101100101110011101001001111011 
XOR 01100101110000010110100110110111 

00001001011110001011101111001100 

b. The operation X + Y is defined as follows: words X and Y represent integers x and y, 
where 0 <= x < 2 32 and 0 <= y < 2 32 . For positive integers n and m, let n mod m be the 
remainder upon dividing n by m. Compute 

z = (x + y) mod 2 32 . 

Then 0 <= z < 2 32 . Convert z to a word, Z, and define Z = X + Y. 

c. The circular left shift operation S n (X), where X is a word and n is an integer with 0 <= 
n 32 , is defined by 

S»(X) = (X « n) OR (X » 32-n). 

In the above, X « n is obtained as follows: discard the left-most n bits of X and then 
pad the result with n zeroes on the right (the result will still be 32 bits). X » n is 
obtained by discarding the right-most n bits of X and then padding the result with n 
zeroes on the left. Thus S n (X) is equivalent to a circular shift of X by n positions to the 
left. 

4. MESSAGE PADDING 



The SHA-1 is used to compute a message digest for a message or data file that is provided as 
input. The message or data file should be considered to be a bit string. The length of the 
message is the number of bits in the message (the empty message has length 0). If the number 
of bits in a message is a multiple of 8, for compactness we can represent the message in hex. 
The purpose of message padding is to make the total length of a padded message a multiple of 
512. The SHA-i sequentially processes blocks of 512 bits when computing the message digest. 
The following specifies how this padding shall be performed. As a summary, a "1" followed by 
m "0 M s followed by a 64-bit integer are appended to the end of the message to produce a 
padded message of length 512 * n. The 64-bit integer is 1, the length of the original message. 
The padded message is then processed by the SHA-1 as n 512-bit blocks. 

Suppose a message has length 1 < 2 M . Before it is input to the SHA-1, the message is padded on 
the right as follows: 

a. "1" is appended. Example: if the original message is M 0 10 10000", this is padded to 
"010100001". 

b. "0"s are appended. The number of "0"s will depend on the original length of the 
message. The last 64 bits of the last 512-bit block are reserved for the length I of the 
original message. 

Example: Suppose the original message is the bit string 

01 100001 01 100010 01 10001 1 01 100100 01 100101. 



^ftn-//uniMW ifrl nipt rtr\\ r /fi ncm iKc /fi r* 1 CO 1 ntm 



After step (a) this gives 

01100001 01100010 01100011 01100100 01100101 1. 



Since 1 = 40, the number of bits in the above is 41 and 407 "0"s are appended, 
making the total now 448. This gives (in hex) 

61626364 65800000 00000000 00000000 

00000000 00000000 00000000 00000000 

00000000 00000000 00000000 00000000 

00000000 00000000. 

c. Obtain the 2-word representation of 1, the number of bits in the original 
message. If 1 < 2 32 then the first word is all zeroes. Append these two words to the 
padded message. 

Example: Suppose the original message is as in (b). Then 1 = 40 (note that 1 
is computed before any padding). The two-word representation of 40 is hex 
00000000 00000028. Hence the final padded message is hex 

61626364 65800000 00000000 00000000 

00000000 00000000 00000000 00000000 

00000000 00000000 00000000 00000000 

00000000 00000000 00000000 00000028. 

The padded message will contain 16 * n words for some n > 0. The padded 
message is regarded as a sequence of n blocks M, , M 2 , ... , M n , where each 
contains 16 words and M, contains the first characters (or bits) of the message. 

5. FUNCTIONS USED 

A sequence of logical functions f 0 , f, f„ is used in the SHA-1. Each f,, 0 <= t <= 

79, operates on three 32-bit words B, C, D and produces a 32-bit word as output, f, 
(B,C,D) is defined as follows: for words B, C, D, 

f,(B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19) 

f,(B,C,D) = B XOR C XOR D (20 <= t <= 39) 

f,(B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <= 59) 
f,(B,C,D) = B XOR C XOR D (60 <= t <= 79). 

6. CONSTANTS USED 



A sequence of constant words K(0), K(l) K(79) is used in the SHA-1. In hex 

these are given by 

K = 5A827999 ( 0 <= t <= 19) 



K, = 6ED9EBA 1 (20 <= t <= 39) 
K t = 8FIBBCDC (40 <= t <= 59) 
K t = CA62C1D6 (60 <= t <= 79). 

7. COMPUTING THE MESSAGE DIGEST 

The message digest is computed using the final padded message. The computation 
uses two buffers, each consisting of five 32-bit words, and a sequence of eighty 
32-bit words. The words of the first 5-word buffer are labeled A,B,C,D,E. The 
words of the second 5-word buffer are labeled Hg, H,, H 2 , H v H 4 . The words of the 
80-word sequence are labeled W 0 , W,,..., W 79 . A single word buffer TEMP is also 
employed. 

To generate the message digest, the 16-word blocks M,, M 2 ,..., M n defined in 
Section 4 are processed in order. The processing of each M. involves 80 steps. 

Before processing any blocks, the {K} are initialized as follows: in hex, 
^ = 67452301 

H, = EFCDAB89 

H 2 = 98BADCFE 

H 3 = 10325476 

H 4 = C3D2E1F0. 

Now M p M 2 , ... , M n are processed. To process M ( , we proceed as follows: 

a. Divide M ; into 16 words W 0 , W p ... , W 15 , where W 0 is the left-most word. 

b. For t = 16 to 79 let W t = S'(W t 3 XOR W i 8 XOR W t . M XOR W M6 ). 

c. Let A = Hq, B = H,, C = H 2 , D = H 3 , E = H 4 . 

d. For t = 0 to 79 do 

TEMP = S 5 (A) + f,(B,C,D) + E + W ( + K t ; 

E = D; D = C; C = S 30 (B); B = A; A = TEMP; 

e. Let ^ = H 0 + A, H t = H, + B, H 2 = H 2 + C, H, = H 3 + D, H 4 = H 4 + E. 

After processing M n , the message digest is the 160-bit string represented by the 5 
words 



rage v Kji i / 



Hq H, H 2 H 3 H 4 . 

8. ALTERNATE METHOD OF COMPUTATION 

The above assumes that the sequence W 0 , ... , W 79 is implemented as an array of 
eighty 32-bit words. This is efficient from the standpoint of minimization of 
execution time, since the addresses of W t3 , ... ,W t l6 in step (b) are easily computed. 
If space is at a premium, an alternative is to regard { W t } as a circular queue, 
which may be implemented using an array of sixteen 32-bit words W[0], ... W[15]. 
In this case, in hex let MASK = 0000000F. Then processing of M i is as follows: 

a. Divide M i into 16 words W[0], ... , W[15], where W[0] is the left-most 
word. 

b. Let A = Hq, B = H p C = H 2 , D = H 3 , E = H 4 . 

c. For t = 0 to 79 do 

s = t A MASK; 

if (t >= 16) W[s] = S'(W[(s + 13) A MASK] XOR W[(s + 8) AND 
MASK] XOR W[(s + 2) A MASK] XOR W[s]); 

TEMP = S 5 (A) + f t (B,C,D) + E + W[s] + K t ; 
E = D; D = C; C = S 30 (B); B = A; A = TEMP; 

d. Let H, = + A, H, = H, + B, H 2 = H 2 + C, H 3 = H 3 + D, H 4 = H 4 + E. 

9. COMPARISON OF METHODS 



The methods of Sections 7 and 8 yield the same message digest. Although using 
the method of Section 8 saves sixty-four 32-bit words of storage, it is likely to 
lengthen execution time due to the increased complexity of the address 
computations for the { W[t] } in step (c). Other computation methods which give 
identical results may be implemented in conformance with the standard. 

APPENDIX A. A SAMPLE MESSAGE AND ITS MESSAGE DIGEST 

This appendix is for informational purposes only and is not required to meet the 
standard. 

Let the message be the ASCII binary-coded form of "abc", i.e., 
01 100001 01 100010 01 10001 1. 

This message has length 1 = 24. In step (a) of Section 4, we append " 1". In step (b) we 
append 423 "0"s. In .step (c) we append hex 00000000 00000018, the 2- word 



Kttr** /Aimimw itl nict ntr\\ t /ft ncm iJ-»c /fit-* I QC\ l Vitm 



representation of 24. Thus the final padded message consists of one block, so that n = 1 
in the notation of Section 4. 

The initial hex values of {K} are 

1^ = 67452301 
H, = EFCDAB89 
H 2 = 98BADCFE 
H 3 = 10325476 
H 4 = C3D2E1F0. 

Start processing block 1. The words of block 1 are 



W[0] = 


61626380 


W[l] = 


00000000 


W[2] = 


00000000 


W[3] = 


00000000 


W[4] = 


00000000 


W[5] = 


00000000 


W[6] = 


00000000 


W[7] = 


00000000 


W[8] = 


00000000 


W[9] = 


00000000 


W[10] = 


= 00000000 


W[ll] = 


= 00000000 


W[12] = 


= 00000000 


W[13] = 


= 00000000 


W[14] = 


= 00000000 


W[15] = 


= 00000018 



The hex values of A,B,C\D,E after pass t of the "for t = 0 to 79" loop (step (d) of Section 
7 or step (c) of Section 8) are 









A 


B 


C 


D 


E 


t 




0: 


0116FC33 


67452301 


7BF3 6AE2 


98BADCFE 


10325476 


t 




1: 


8990536D 


0116FC33 


59D148C0 


7BF36AE2 


98BADCFE 


t 




2: 


A1390F08 


8990536D 


C045BFOC 


59D148C0 


7BF36AE2 


t 




3: 


CDD8E11B 


A1390F08 


626414DB 


C045BF0C 


59D148C0 


t 




4: 


CFD499DE 


CDD8E11B 


284E43C2 


626414DB 


C045BF0C 


t 




5: 


3FC7CA40 


CFD499DE 


F3763846 


284E43C2 


626414DB 


t 




6: 


993E30C1 


3FC7CA4 0 


B3F52677 


F3763846 


284E43C2 


t 




7 : 


9E8C07D4 


993E30C1 


0FF1F290 


B3F52677 


F3763846 


t 




8: 


4B6AE328 


9E8C07D4 


664F8C30 


0FF1F290 


B3F52677 


t 




9: 


8351F929 


4B6AE328 


27A301F5 


664F8C30 


0FF1F290 


t 




10: 


FBDA9E89 


8351F929 


12DAB8CA 


27A301F5 


664F8C30 


t 




11: 


63188FE4 


FBDA9E89 


60D47E4A 


12DAB8CA 


27A301F5 


t 




12 : 


4607B664 


63188FE4 


7EF6A7A2 


60D47E4A 


12DAB8CA 


t 




13 : 


9128F695 


4607B664 


18C623F9 


7EF6A7A2 


60D47E4A 


t 




14: 


196BEE77 


9128F695 


1181ED99 


18C623F9 


7EF6A7A2 


t 




15: 


20BDD62F 


196BEE77 


644A3DA5 


1181ED99 


18C623F9 


t 




16: 


4E925823 


20BDD62F 


C65AFB9D 


644A3DA5 


1181ED99 



A A W A h_SWWV*lW HUOli k * *»*V*i *-» 



t- 




1 7 • 


R9 AAfi79ft 


4FQ9 SR9 ~\ 


PR9 F7 R ftR 

LOZf / jOD 


P6 R AFRQn 
L O Dr\r D y JJ 


fi 4 4 A 7nA R 
O ft ft A J JJA J 


f- 




1 ft • 

J. o . 


nr fi 4 q o l n 


R9 AA679 R 


HI A4Qfifift 


PR 9 F7 RftR 
LOZr / jOD 


P6 R AFRQn 

LOjArDyjj 


t- 

L. 




1 Q • 


D7D 


np 6 4 Q fi i n 

U\* U4 J U 1U 


9 fi A AQQP A 


nl A4Q6fiR 
JJ j nfl jOvO 


PR9P7 RRR 
LOZr / JOD 


4- 
L. 




Z \J . 


1 A77R0PA 


pnQFi r»7n 


771 Q94 fi7 


9 fi A AQ QPA 


nT A4 Q6fiR 
jj j Aft y 0 u 0 


+- 

t. 




9 1 * 

Z X . 




1 A77RfiPA 


7F67 ft7 RF 
/ro/o/jr 


77 1 Q94fi7 

/ / XjZfiU/ 


9 fi A A Q QPA 
Z U AAj yL A 


c 




z z . 


91 9ftl4ftfi 


H A 9 7RFP 

J J riZ JDrL 


ft fiftHFPl 9 
O O OL/rLiL J Z 


7P67R7 RP 
/r o / o for 


77 1 Q94fi7 

/ /xyzfiu/ 


+- 




97 • 

J . 


ns4i fi 9n 


9 1 9R74R6 

Z<XZ.OJ L xOU 


fiPFft ft FFF 


ft 6 ftHFPl 9 
0 O O UCjL j z 


7P67R7RP 
/ro/o/jr 


t- 

L. 




94 • 




nS4i fi 9n 

L/JHlf xzu 


ft R4 Afin9 1 
O O ftnw JL/Z X 


fiPFft ftFFF 


ft 6 ft npr7 9 

O DO JJh«L j z 


t- 
U 




9S • 


4ft41 7RA4 


P7Sfi7DPfi 


7 RS07P4R 

/ JJU / 


ftft4 Afin9 1 


fiPFR ft PFF 
UL to ODr F 


f- 

L. 




96 * 


RFl SFRDS 


4R41 7RA4 


R1 HRQF7 1 
dijjj ?r /x 


7 R R07P4R 

/ J JU / LfiD 


R R 4 A fin9 1 
0 O ft AUJJZ X 






97 * 

Z / . 


4 AAR4DQ7 


Dijj j r duj 


191 fi4FFQ 

X Z X U ft E*C* -7 


Rl nRQF7 1 
dxjj j j r / x 


7 R Rfi7P4R 
/ j DU /LfiD 


*- 

c 




9 ft • 


R770RS9F 


4 A AR4HQ7 


6Fftn7FFR 

or o u / nr j 


191 D4FFQ 
xz x uf±Cic*y 


Rl nR Q C7 1 
dX JJ j y r / X 






9 Q • 
Z y . 




R770RS9 F 


Pl9 A A 1 ~\ 6R 
iJZ/\/\X j 0 j 


fi FRn7 FFR 
0 r 0 JJ / r*r j 


1 9 1 fi A T7T7 Q 

xz x Ufth.h.y 


t- 

L 




j u . 


1 9 67R4D7 

X Z Q / D*± \J / 


PSFRAF^n 


AfinP9nAR 
a u ul z u ft d 


n9 A A 1 76R 
JJZ/\AX J 0 J 


fi irQn7 1717 cr 
0 r oU / hit j 


4- 




J X . 


^Rft4 c inn 


1 9 67R407 
1ZD / D** U / 


717 FFR"n7 


a fi np 9 n/i r 

AUJJLZ JJfiD 


no a a 1 ice 
jjzAAX jOj 


t- 




7 9 • 
J z . 


ri4 fi^a a Pi a 


7Rft4 

JD04 JLJJ j 


n A Q Q CTtfi 1 
Lft -7 " ijUU X 


717 FT7Rn7 


a fi np On/I d 
AUJJLzUflD 


*- 
u 




j j : 


ZL. U CjDV_ X X 


HA fiFA Afi A 


PTC 1 1 7 / P 


Lft y yr-iUUX 


/ X / bEBD / 


*- 




~X A . 


9 1 7 Q AFi4 


9PfiFRP1 1 
ZLULDt X X 


Oil RT? A Q 9 

o X XnrJAoz 


PT7C1 1 7/1P 

Lbrjll / flL 


Lfty ybDUX 


4- 

L. 




"i R • 

j j : 




9 1 7 q c 7vn4 
Z X / J D/VUft 


fiDu JAr Uft 


Q 1 1Q17AQ9 

OX IdcjAoZ 


Lh.bXX /4L 


f- 

c 




j o : 


Ur j llr 1JO 


HPRRRfiPR 


Uo jJi. j/vd j 


ftJiU JAr Uft 


O 1 10T7AOO 

0 x XobAoz 


4- 

L 




7 7 . 


nrfi 7 Q7 7 F 


nut: 1 1 pnp 


17 7 9 T7TP ~X O 

r / Z riiiL. j Z 


Uo jdjAdD 


fi dU j Ar Ufl 


4- 

u 




7 ft • 
o o . 




np 6 1 Q 7 1 P 


n7n/i a 7 i?fi 

U jJUftfi / r 0 


177 9 CPPT 9 
r / Z III J! L j Z 


U 0 jljAdj 


4- 

u 




7 Q • 

j y . 


7 9 FiFl PRA 


4PQft 64fi R 

f*V--700f±VJO 


T77 1 QrRri? 
r / X orjjLr 


C\1T\A A 7T?fi 
U jUftfl / r 0 


T7 9 9 nnpl 9 

r / ZhfcLJz 


4- 

L. 




f± u . 


fp ft 7nrnP 


1 9F\F1 PR A 


CTOri Qfil 

jjZOXjUX 


t?7 1 Qt?C/^T7 

r / lorjjLr 


fi 7 n/l A Tec 
U j JJflfi / to 


4- 




f± x . 


Q7 n a nnRf 


Fpft7npnp 


RPR7 R 7 9 C 
OLD / O / Z Cj 


R79fi1 Qfil 

jjzoxyux 


c7 1 Qrcpr 
r / Xoh. jLr 


+- 

L. 




49 • 
ft z . 


/ r x _/ j i-^v- j 


Q7 fi AfiTi^P 
-7 / UnUL'JL 


PP9 1 P7 R7 
rrzxr f d f 


RPR7 ft 7 9 1? 
OLD / O / Z Cj 


R79fi1 Qfil 

jjzoxyux 


t- 

L. 




ft J . 


PP*1 ol A AF 


7 pi QTnpt: 

/ r x j j X/V_ j 


9 crooi c 7 
Z jLZ O j j / 


T7T79 1 P7 R7 

rrzxr /d/ 


RPR7 Q 7 9 17 

OLij / O / Z Cj 






44 • 

ft ft . 


4nF9ftF0Q 

luf Z O Hi U -7 


FP1 R1 A A F 
Ij Cj X D X rtrif 


c pp c. a p 7 1 
DrLOfrr / X 


9 RP9 0 7^7 
ZjLZ O j j / 


X7I79 1 177m 
rrzXr /d/ 


4- 

L. 




4 R • 
ft j . 


1 PR1 Fi F9 


4 fiP9 ft Ffi Q 
f± U I: Z O EtVJ J 


PRft fiPfi A R 
r DO OLOnD 


RTTPfi/1 177 1 

jr LOflr / X 


9 RP9 Q 1 R 7 
Z jLZ ojj / 


4- 

L. 




46 • 
ft D . 


A01 Rft4fiP 


1 PR 1 FI F9 
xv_ j x rjXr z 


Rfi7PA7 ft 9 
J VJ jLAj OZ 


f do OLOArJ 


c 17/-1 r a 179 1 
jr LOfir / X 


t- 
U 




47 • 

fi / . 


RFAH09P A 


Afi 1 Rft 46P 


R7 1 47 R7P 

O / Xft / O / L 


Rfi 7PA7 ft 9 
juJLnJ oZ 


I7RQ fiP fi A R 

r do DLOAd 






4ft * 

fi O . 


RAFl Q H 7 


RF ATlfi9P A 


9 Rfifipl Id 

ZOUOfjllD 


071 /I7Q7P 

O/Xft/O/L 


Rfi7PA^Q7 
J U jLA j O Z 


4- 




4 Q - 


1 9n771P c i 
1Z U / J Xv^ 3 


RAFT 7 
Dnf J J J J / 


A T? A R/l fiR9 
Ar /\Dfi UdZ 


OQfifiCI 1 R 
ZOU 0 CjX ID 


Q71/17D7P 

o/Xfi/o/L 


4- 




D U . 


6 41 T1R9PF 


1 9fi77lPR 
XZU / JiLJ 


T?T?RPT?/1 Pn 

Cj Cj DLIj ft L.1J 


Ar ADftUc5z 


OQfifiT7l 1 R 
Z OUObllD 


4- 

L. 




^ 1 • 


*3 o / 7 A nfi 6 
j O ft / rVJJ D D 


6 4 1 nnOPi? 

O f± XXJr3ZL.rj 


yi /l Q 1 -7 1 
f± ft O ILL / X 


JjJiDLJifiLlJ 


Ar AH4 UdZ 


4- 

L. 




en . 
J z . 


P4 Q 04 7 6n 


"5 o a 7 an6 6 
j O fx / f\X/D D 


Q Q fi 7 fiPR*5 
y y U / old j 


A A Q 1 nci 1 
fifi oXLL / X 


DhfDLhjflLX) 


4- 

t 




m * 


O 7 pq pi nft 


P4 Qfi4 7 6n 
tfl jUfl JOU 


R T7 1 1 TTR R Q 

o JiiX X CjO D y 


Q Q fi 7 fiPRT 

y y U / old j 


ftftoXLL / X 


4- 
t. 






7 R7 1 T?7 6n 


97C , QT?1 no 

z / rj^7 r xuo 


7 QO /! 1 firvR 

/ y £. ft 1 UUd 


oh.XXh.Dj y 


y y U / oLBj 






c C . 
D D . 


R I7fi/1 Rfi A "C 


7 R7 1 C7 fin 
/o/lr /DU 


liyr A/L / o 


7 Q 7 A 1 nnn 
/ y z ft X UUhS 


ohiXXbDjy 


4- 




C • 
D D . 






jliJJL / UUd 


uyrA/L / o 


7 Q 7 /l 1 n t\d 
/ y Zfi X UUd 


4- 




D / . 


Fi9 6 9 FP R fi 
JJZ DZrr jU 


PftZlfifiQ^T? 


t»7 Q Q 1 cad 
JJ / y y X jAd 


jhiUL / JJJJd 


UyrA/L / o 


4- 
U 




DO : 


fi Qn7 Q ^ T?n 


UZ DZrr DU 


T771 1 07^17 

rzllozfir 


t~\7 QQ1 cad 
u 1 y y X jAd 


DbDL /UDB 


4- 

L. 




c; Q . 
D y : 




fi QFi7 Q R I7T\ 


Ofiy ODr JJfi 


179 T 1 QT^D 

rzXXozfir 


u 1 y y x dab 


f- 

c 




o u . 


n7 ^ fip 1/17 


j r DZLJCiDA 


yi*>7C:i71 717 
4z / jh.1 / r 


J4 y ODr U4 


tt91 1 OI^'C 

r Z XX oZftr 


c 




^ i • 

O X . 




n7 RfiP1 yl 7 
/ D DV^ Xfi / 


or UfiD / y o 


/177CI71 7C 

flz / Dh.X / r 


j 4 y oBr Dfi 


*- 

t. 




OZ . 


oc fir*fi9 fiR 

DO Ok^ UZUD 


R 4 ftp QPR9 
J ft OLj^dZ 


r jUDdU j X 


or UflD / y 0 


/177RT71 9 17 

ftZ / jdX / r 


4- 

L. 




O j . 


CDC1 PQF1 
ODO XL- -7H.X 


R6 6Pfi 9 fiR 
DO UZUO 


QR9T979P 
yDZjZ / ZL 


r jUjdU d x 


or L)fiD / y 0 


4- 




64 • 
O ft . 


1 QTlF A7 AP 


6R6 1 PQF1 
ODO XL j C.X 


FnQRfi fi fl 7 
iltUy DKJ U o Z 


QR77977P 
y DZ j Z / ZL 


"CRnRRfi R 1 

r jjjjdU j X 


t- 




fiR * 

D J . 


1 fil fi^RFQ 


1 QHF A 7 AP 
x y ur r\ / 


c Anft 7 9 7 ft 
DAUO / z / o 


TnQRfi fi R 7 
h.uy DU U 0 z 


Q R O 7 7 7 OP 

y j z j z / zl 


t- 




D O . 


fiPlnF9 R4 


1 fil 6RRFQ 


fi fi77 FQFR 
UO / / DI7 CiD 


R AnQ797 Q 
j rtJJO / z / 0 


irnQRfi fi q 0 
Dijy dU UoZ 


t- 




67 • 


7ftnn4n9R 


fiP* : inF9R4 
uv — j ur z d*± 


44fiRQR7F 

ftftUjJJ f Cj 


fifi77FQPR 

uo / / Cjy CjO 


R AnP 7 0 7 Q 
jAJJO / Z / O 






6ft • 
u o . 


4Q7fiQ7Pfi 


7 Rnn4n9R 

/ O UUH U£. D 


fi7 fiP7P AH 

u j ur / l>vu 


44 fiR QR7F 
fifiUjyj t c* 


fi fi 7 7 FQT7R 
U 0 / / Jiy JiD 


l. 






7F9SRRP9 


4Q7fiQTPfi 

*4-7 / U J JtU 


HP77 R74 A 
ULj / j j ft A 


m fiF7P An 
u j ur / l/vjj 


/l/lfiRQR7l7 

ftfiujyj / h. 


t- 

C 




7 n • 


pi QQFftP7 


7F9SftftP9 
Jr ZJOOLZ 


1 9 RP9 4Ffi 

x z jlz ft r u 


HF17 R *3 /l A 
JJh* J / J J fi A 


fi 7 fi I77P An 
U j Ur /LAU 


*- 

L. 




71 • 
/ x • 


J JO J J ULZt / 


pi QQPRP7 

LXZ7Z7rOL / 


RFPQ 6 9 1 fi 

orLjOZjU 


1 9 RP94Ffi 
XZ jLZ fir U 


ni7l7 R*?y1 A 
JJh*j / D JflA 


*- 

C 




79 • 
/ z . 


FnR49HF4 


"3 QQQ QnF7 
j jo j y uCj i 


pfifi fi7P7 1 

r u o o / iii j x 


pppqc 7 "I fi 
or L j 0 Z j U 


1 7 RPO/ TTfi 
XZ DLZflr U 


4- 

L. 




7 1 • 


1 1 7 Q7P6P 
xx / jjror 


FF1R4 9 nF/1 
ruUrb l ± z Utfl 


PI7fi 1 fi 7 7 Q 

LCiO X o / / y 


T7fi fi fi7l77 1 
r U 0 0 / h. j X 


orLyoZJU 






74 * 


c iFF7fiRQ7 

J Hid / D O -7 / 


1 1 7Q7F6P 
XX / jjr Or 


7 RfinfiR7 Q 
j dOJJUd / y 


PFfi 1 677 Q 
LhO X 0 / / y 


rr> n fi fi7iri 1 
r U 0 0 / h. j X 


4- 

u 




7 c . 
/ j . 


67F7nAR7 


c pp7 fi o q 7 
j CjEj / 0 o y i 


Lfi jEifir ur> 


1 RfinO R7 0 

jdouud / y 


P17fi 1 fi 7 7 Q 

Lhib X 0 / / y 


t 




76: 


A079B7D9 


63F7DAB7 


D7B9DA25 


C45E4FDB 


3B6D0B79 


t 




77: 


860D21CC 


A079B7D9 


D8FDF6AD 


D7B9DA2 5 


C45E4FDB 


t 




78: 


5738D5E1 


860D21CC 


681E6DF6 


D8FDF6AD 


D7B9DA2 5 


t 




79: 


42541B35 


5738D5E1 


21834873 


681E6DF6 


D8FDF6AD. 



Block 1 has been processed. The values of {H ( } are 

H 0 = 67452301 + 4254 1B35 = A9993E36 
H, = EFCDAB89 + 5738D5E1 = 47068 16A 
H, = 98BADCFE + 21834873 = BA3E2571 
H~ = 10325476 + 681E6DF6 = 7850C26C 
H 4 = C3D2E1F0 + D8FDF6AD = 9CD0D89D. 

Message digest = A9993E36 47068 16A BA3E2571 7850C26C 9CD0D89D 



APPENDIX B. A SECOND SAMPLE MESSAGE AND ITS MESSAGE DIGEST 



This appendix is for informational purposes only and is not required to meet the standard. 

Let the message be the binary-coded form (cf. Appendix A) of the ASCII string 
" abcdbcdecdef def gefghfgh ighij hij kij klj kl mkl mnl mnomnopnopq " . 

Since each of the 56 characters is converted to 8 bits, the length of the message is 1 = 448. In 
step (a) of Section 4, we append "1". In step (b) we append 5 1 1 "0"s. In step (c) we append the 
2-word representation of 448, i.e., hex 00000000 000001C0. This gives n = 2. 

The initial hex values of {HJ are 

H,, = 67452301 
H, = EFCDAB89 
H 2 = 98BADCFE 
H 3 = 10325476 
H 4 = C3D2E1F0. 

Start processing block 1 . The words of block 1 are 

W[0] = 61626364 
W[l] = 62636465 
W[2] = 63646566 
W[3] = 64656667 
W[4] = 65666768 
W[5] = 66676869 
W[6] = 6768696A 
W[7] = 68696A6B 
W[8] = 696A6B6C 
W[9] = 6A6B6C6D 
W[10] =6B6C6D6E 
W[ll] =6C6D6E6F 
W[12] = 6D6E6F70 
W[13] =6E6F7071 



W[ 14] = 80000000 
W[ 15] = 00000000. 



The hex values of A,B,C,D,E after pass t of the "for t = 0 to 79" loop (step (d) of Section 7 or 
step (c) of Section 8) are 











B 


r 




Hi 






o • 


01 16FP17 


67452301 

\J / *± Jul 


7RF3 6AF9 


9RRADPFF 


1 039 547 fi 


t- 

L. 




-L . 


FRF3R4 S9 
cor .D m _> t« 


01 1 6FP1 7 

W 1 1 U -T V_ 1 / 


S9ni 4flpn 


7RF3 fi AF9 
/ or j un£i^ 


QRRAnr , T?P 
27 O Dr\U\~. r Hi 


f- 




2 • 


5109913A 


FRF3R4 S9 

uDT ~J O t Jd. 


P04 SRFOS 


S9D1 4RP0 

J JU14 OL U 


7RF"^ 6 AF9 


f- 






9P4F6FAP 


5109913 A 


RAFPFD1 4 
onr ^. c>lj i *s 


P045RF05 


59D1 4RP0 


t 
L. 




4 • 


3 3F4 AF5R 


9P4F6FAP 
i^ir o i_i^iV_ 


9449 fi44F 

J'i*iZi U44L 


RAFPFD1 4 

LJr\ r v^LJJ14 


P04 5RF05 


t- 

L. 






96RR51 R9 

27UDOJ11J.7 


3 3 F4 AFSR 


0R1 3DRAR 

UDl J UDnD 


9449 fi44R 

.744Z, U44D 


RAFPFH1 4 


t- 




fi • 


DR04PR5R 


96RRS1 R 9 


PPFD9R96 


0R1 3DRAR 

UDJ j U LDr\LD 


9449fi44R 

27*i t 4ZOft*±C* 






7 : 


45833F0F 

*± J O J J v Uf 


DR04PRS 8 


65AE1462 

vJ J AIj 14 U^. 


PPFD2R96 


0R1 "IDRAR 








C565C35E 


45833F0F 


36P132D6 


65AF1 469 

\J J Hi 1 4 U Z. 


PPFD9R9 6 

uLT U xS Hi 2? VJ 






9 : 


63 SOAFDA 


C565C35E 

V-r -J \J *J Vwr ^ _S XJj 


Dl 60PFP3 


36P13 2D6 


65AF1 469 

vJ J ACi 1 4 U l. 






10 : 


8993EA77 


63 50AFDA 


R15970D7 

U i. J J r U LJ / 


Dl 60PFP3 


36P1 32D6 

J UvlJ x^ U vj 






11 : 


El 9EPAA2 


8 9 93EA7 7 


98D42RF6 


Rl 597 0D7 


Hi 60PFP3 






12 : 


8603481E 


E19EPAA2 


F2 64FA9D 


9RD42RF6 

^/ U ^> i-J J- VJ 


Rl 5970n7 

i-J 1. J J / VJ u / 






13 : 


32F94A85 


8603481E 


R867R2A8 


F2 64FA9D 


9RD49RF6 






14 : 


R9E7A8RE 


32F94A85 


A180D207 

XX _L (J VJ LJ SJ / 


RR 67R2 AR 

i-J (J W / i_J l \ VJ 


F2 64FA9D 






15 : 


42637E39 


B2E7A8RE 


4PRFS9 Al 


AVR0r)207 

xi X U W i,J XL VJ / 


RR 67R9 AR 

LJ (J \J / DlAO 






1 6 • 

1 U • 


6R06R04R 


42 637F3 9 


APR9 FA9 F 


4PRF59 A1 

4LDD J x^ 1 


A1 R0H9 07 


*- 
L. 




1 7 • 
i / . 


496R9P35 


6R06R04R 

VJ LJ U U U U T u 


s n 9 rdfrf 

J U J O O Cj 


APR9FA9 F 


4PRF5 9 A 1 
DJL j Z r\l 


t- 

L. 




1 R * 


944R1 RD1 


42 6R9P3 S 


1 AP1 AD 1 9 


5 0 9 RDFRF 

JOLT O Hi 


APRQPA9P 


f- 
L. 




1 9 • 

i 2? . 


fiP445fi59 


944 R1 RD1 


S09 AF7 nn 


1 API AO 1 9 

1 1 r\ U l£, 


J U 27 OUT O Hi 


f- 
L 




9 o • 


9 5R3 fif)A5 


fiP44SfiS9 


fiS 1 9PfiF4 


50 Q AP7 On 


1 API A01 9 
IrVV^ Inu 1 Z 


4- 
L 




91 * 


H9 51 1 1 77 


9SR36DAS 


QR1 1 1 594 

JDlll J ^4 


fi51 9PfiF4 


J U 27MHi / UU 


*- 

C 




99 • 
z z . 


IT 9 RQ9TiP4 

Ht Z O 2/ Z *i 


0QR1 1 1 77 

U J Jill i / 


f. 5 f. nnRfi 9 

ODD UUDO -7 


QDl 1 1 CLQA 
27131 X 1 D 27 fx 


ODXZ^Orft 






9 7 * 
z J . 


FF19 9 4 ^7 R 
r uz z 4 j / j 


Cj Z D -7 Z L/V^ *i 


P9 ^4 44 ^in 

V— Z J *i ft fi D1J 


OJD UJJJ3D 27 


27I3±XlJ27fl 


*- 

t. 




Z fx . 


r_i Hi DO Z L/ J//^. 


FH9 94 ^7 R 
r jjz z fx j / j 


""2 O 7\ TTATXl 1 
J O-HlifilD / 1 


\_Z0fxfifx3U 


ODD UUoO 27 


+- 

L. 




9 ^ • 

Z D . 






7P4RQ1 


J 0/\ILfx I2> / 1 


no ^ a a a c;n 

\-Z D fififi JU 


t- 

L. 




9 • 
z o . 


9 Q79F7P7 
z -7 / z r / \— / 


S A 1 49P1 A 


DDnC< UDDD 


7T?4 QQ1 
/rfx027iDJJ 


J O A£jft D / 1 


f- 

L. 




97 * 
z / . 


nR9 Afi44 


9 979F7P7 


OCR trnRflfi 
"DO J UDU O 


DOiHlj U DO D 


7 P4 P Q 1 

/ r ft 027 X DU 


f- 




9 R * 
z o . 


F1 1 994 91 

£j_LJ.ZZ*iZ-L 




UnJLDLT 1 


Q r p C nRn 


IJMIjvJdU 0 






9 Q - 
z _? . 


fl c iR4^7R9 


Fl 1 99491 

Htl 1 Z, Z. Z 1 


^ 54 Q AQ Q1 

J J *± jn J 27 1 


V-xHDL-DlJr 1 


27 O O D \JdkjO 






~* n • 


A QPR4RFP 


0 c iR4 57R9 


7R44 RQ OR 

/ 0440 jUO 


7 c i4QAQQ1 

OJf±27/\27271 




f- 

L. 




J J- . 


S9F3 1 FfiO 


A9PR4RFP 


R1 fim sfp 


7R44R90R 


^54QA991 

J J 4 27rt 27 27 1 


t* 

L. 




"*9 • 


R AF3949P 


S9F3 1 FfiO 

J ^> ILi J 1 V vJ VJ 


2 A79 1 9 FR 


Rl fini 5FP 

O 1 O U 1 J HV_ 


7R44R90R 

/ 0*1*40271^0 


f- 
l_ 




3"* • 


*^ 1 P7S6A9 


SAF3242P 


1 4RRP7HR 


9 A79 1 9 FR 


Rl fini 5FP 

O 1 Ul/l J CiV^ 






34 : 


F9AP987P 


31P756A9 


1 6RPP90R 


1 4RRP7HR 


9 A7 91 9 PR 

/ £. 1 Z r D 






35 : 


AR7P32EE 


E9AP987P 


4P71D5AA 


1 6RPP9 DR 


1 4RRP7DR 

14DOL /UO 






36 : 


5933FC99 


AB7C32EE 


3A6R261 F 


4P7 1 D5 AA 


1 6RPP90R 






37 : 


43F87AE9 


5 9 3 3 FC 9 9 


AADF0PRR 

AAU 17 UvDD 


3A6R261 F 

J /A UD£i U 1 H 


Ann i n5 aa 


L. 




3R • 


24957F22 


43F87AE9 


S64PFF96 


AADFOPRR 

r\r\LJ r U \_ H> H> 


~K A6R9 filP 

JnO DZ O 1 r 






39 : 


ADEB747 8 


24957F22 


50FF1 FRA 

-J VJ 1 I_* 1 Hi LDi\ 


564PFF9 6 

J U 4U r H xl VJ 


AADFOPRR 


t 




40: 


D70E5010 


ADEB7478 


89255FC8 


50FE1EBA 


564CFF26 


t 




41: 


79BCFB08 


D70E5010 


2B7ADD1E 


89255FC8 


50FE1EBA 


t 




42 : 


F9BCB8DE 


79BCFB08 


35C39404 


2B7ADD1E 


89255FC8 


t 




43: 


633E9561 


F9BCB8DE 


1E6F3EC2 


35C39404 


2B7ADD1E 


t 




44: 


98C1EA64 


633E9561 


BE6F2E37 


1E6F3EC2 


35C39404 


t 




45: 


C6EA241E 


98C1EA64 


58CFA558 


BE6F2E37 


1E6F3EC2 


t 




46: 


A2AD4F02 


C6EA241E 


26307A99 


58CFA558 


BE6F2E37 


t 




47: 


C8A69090 


A2AD4F02 


B1BA8907 


26307A99 


58CFA558 


t 




48: 


88341600 


C8A69090 


A8AB53C0 


B1BA8907 


26307A99 


t 




49 : 


7E846F58 


88341600 


3229A424 


A8AB53C0 


B1BA8907 


t 




50: 


86E358BA 


7E846F58 


220D0580 


3229A424 


A8AB53C0 


t 




51 : 


8D2E76C8 


86E358BA 


1FA11BD6 


220D0580 


3229A424 


t 




52 : 


CE892E10 


8D2E76C8 


A1B8D62E 


1FA11BD6 


220D0580 



A ktg^t* A ~~t Ul X / 



r 




53 : 


EDEA95B1 


CE892E10 


234B9DB2 


A1B8D62E 


1FA11BD6 






54 : 


36D1230A 


EDEA95B1 


33A24B84 


234B9DB2 


A1B8D62E 


i_ 
L. 




j j * 


776C3910 


36D1230A 


7B7AA56C 


33A24B84 


234B9DB2 


£ 




56 : 


A681B723 


776C3910 


8DB448C2 


7B7AA56C 


33A24B84 


t- 




S7 • 
j / . 


AC0A7 94F 


A681B723 

** v *v .x. xv # ^* «v 


1DDB0E44 

X Lit U LJ \J i— 1 ^ ^ 


8DB448C2 


7B7AA56C 


f 

L. 




58 - 


F03D3782 


AC0A7 94F 


E9A06DC8 


1DDB0E44 


8DB448C2 

w XV XV * * w 


t" 




59 : 


9EF775C3 


F03D3782 

X V *V XV *V / *V 


EB029E53 


E9A06DC8 


1DDB0E44 

xv xv xv \s ipj rx 






60 : 


36254B13 

\J £j «V * XV *X, «V 


9EF775C3 


BC0F4DE0 


EB029E53 


E9A06DC8 


t- 

L. 




61 : 


4080D4DC 


36254B13 

*V V »V xv -x> *v 


E7BDDD70 


BC0F4DE0 


EB029E53 

X^l XV V/ X.J »v ->v 


t- 
L. 




62 : 


2BFAF7A8 


4080D4DC 


CD8952C4 


E7BDDD70 


BC0F4DE0 

XVVp* w X XV x^ ^ 


t- 

L. 




63 * 
\j -j • 


513F9CA0 


2BFAF7A8 


10203537 


CD8952C4 


E7BDDD70 


f 




64 * 


E5895C81 


513F9CA0 


0AFEBDEA 


10203537 

A- \J cL* \J ~J -J ~J f 


CD8952C4 


f- 
L. 




fiS * 


1U J / U £t LJ J 


E5895C81 

i_J ~J KJ -J -J \*, \J X 


144FE728 


0AFFRDFA 


10203537 


L. 






1 4 Aft 9 DA 9 


1037D2D5 




1 44FF728 


0AFFRDFA 






D / . 


o u x i \* j r u 


1 4 A82DA9 


44 0DF4RS 

Til U A-/ IT *± LJ^J 


79625720 


1 44FF77R 


t- 




fift * 




UUX » n— i 


4S? AORfiA 


44 0DF4R5 

M ^ \J A-/ A ^ AJ ^/ 


/ \J £t -J f \J 








FDPfiFFFF 


2r7B07BD 

\v / i_J \y / i_IXr 


5B45F27F 


452A0B6A 


440DF4R5 

^ T \J LJ A ^ AJ ^ 








1 1 ?R9fiF3 


FDF6FFFF 


4B1 FP1 FF 

^ A> A. Alt A 


5B45F27F 

— / A^^ ^/ L £j f L 


4 52A0B6A 


*- 
L. 




71 • 
/ x . 


R40fiS71 2 

J / X£i 


112B96E3 


FF7DRRFF 

A A / A</AJAJA A 


4B1 FP1 EF 

M A^ X A^i^w A i-il 


5B45F27F 


f- 
L. 




7? • 


ARfi 9FR7 1 


84065712 

VU J / X£> 


P44 AFSRfi 


FF7DBBFF 


4B1 FP1 FF 

J AJ JL AJ\u> X AJ A 


4- 
(_ 




73 • 


PS? 1 0F3 5 


AR89FB71 


A10195P4 

/AX ul^ J^l 


P44AE5B8 


FF7DRBFF 

A A / 1/ODA X 


*- 




74 * 


3 S2D9F4R 


C52 10E35 

^/ J L 1 W Jj J J 


6AF27FDP 


A10195C4 


P44AE5R8 






75 * 


1 A0E0E0A 


3 52D9F4B 


7148438D 

/ X ^ (J T mJ SJ LJ 


6AE27EDC 


A10195C4 


t 




76: 


D0D47349 


1A0E0E0A 


CD4B67D2 


7148438D 


6AE27EDC 


t 




77: 


AD38620D 


D0D47349 


86838382 


CD4B67D2 


7148438D 


t 




78: 


D3AD7C25 


AD38620D 


74351CD2 


86838382 


CD4B67D2 


t 




79: 


8CE34517 


D3AD7C25 


6B4E1883 


74351CD2 


86838382 



Block 1 has been processed. The values of {HJ are 

Ho = 67452301 + 8CE34517 = F4286818 
H, = EFCDAB89 + D3AD7C25 = C37B27AE 
H, = 98BADCFE + 6B4E1883 = 0408F581 
H, = 10325476 + 7435 1CD2 = 84677148 
H 4 = C3D2E1F0 + 86838382 = 4A566572. 

Start processing block 2. The words of block 2 are 

W[0] = 00000000 
W[l] =00000000 
W[2] = 00000000 
W[3] = 00000000 
W[4] = 00000000 
W[5] = 00000000 
W[6] = 00000000 
W[7] = 00000000 
W[8] = 00000000 
W[9] = 00000000 
W[10] = 00000000 
W[ll] = 00000000 
W[12] = 00000000 
W[13] = 00000000 
W[ 14] = 00000000 
W[ 15] = 000001 CO. 



J"»Mr** f f \i r\\ r\\ i ttl nirt rtr\\ r /fi r*r r\i t Kc lf\ r\ 1 QC\ I V> t r-o 



i ii j iou-1 - juuio i lujn jiaiiuuiu 



The hex values of A,B,C,D,E after pass t of the for "t = 0 to 79" loop (step (d) of Section 7 or 
step (c) of Section 8) are 







A 


B 


C 


D 


E 


t = 


0: 


2DF257E9 


F4286818 


B0DEC9EB 


0408F581 


84677148 


t = 


1: 


4D3DC58F 


2DF257E9 


3D0A1AO6 


B0DEC9EB 


0408F581 


t = 


2: 


C352BB05 


4D3DC58F 


4B7C95FA 


3D0A1A06 


B0DEC9EB 


t = 


3: 


EEF743C6 


C352BB05 


D34F7163 


4B7C95FA 


3D0A1A06 


t = 


4: 


41E34277 


EEF743C6 


7 0D4AEC1 


D34F7163 


4B7C95FA 


t = 


5: 


5443915C 


41E34277 


BBBDD0F1 


70D4AEC1 


D34F7163 


t = 


6: 


E7FA0377 


5443915C 


D078D09D 


BBBDD0F1 


70D4AEC1 


t = 


7 : 


C6946813 


E7FA0377 


1510E457 


D078D09D 


BBBDD0F1 


t = 


8: 


FDDE1DE1 


C6946813 


F9FE80DD 


1510E457 


D078D09D 


t = 


9: 


B8538ACA 


FDDE1DE1 


F1A51A04 


F9FE80DD 


1510E457 


t = 


10: 


6BA94F63 


B8538ACA 


7F778778 


F1A51A04 


F9FE80DD 


t = 


11: 


43A2792F 


6BA94F63 


AE14E2B2 


7F778778 


F1A51A04 


t = 


12: 


FECD7BBF 


43A2792F 


DAEA53D8 


AE14E2B2 


7F778778 


t = 


13: 


A2604CA8 


FECD7BBF 


D0E89E4B 


DAEA53D8 


AE14E2B2 


t = 


14: 


258B0BAA 


A2604CA8 


FFB35EEF 


D0E89E4B 


DAEA53D8 


t = 


15: 


D9772360 


258B0BAA 


2898132A 


FFB3 5EEF 


D0E89E4B 


t = 


16: 


5507DB6E 


D9772360 


8962C2EA 


2898132A 


FFB35EEF 


t = 


17: 


A51B58BC 


5507DB6E 


365DC8D8 


8962C2EA 


2898132A 


t = 


18: 


C2EB709F 


A51B58BC 


9541F6DB 


365DC8D8 


8962C2EA 


t = 


19: 


D8992153 


C2EB709F 


2946D62F 


9541F6DB 


365DC8D8 


t = 


20: 


37482F5F 


D8992153 


F0BADC27 


2946D62F 


9541F6DB 


t = 


21 : 


EE8700BD 


37482F5F 


F6264854 


F0BADC27 


2946D62F 


t = 


22: 


9AD594B9 


EE8700BD 


CDD20BD7 


F6264854 


F0BADC27 


t = 


23 : 


8FBAA5B9 


9AD594B9 


7BA1C02F 


CDD2 0BD7 


F6264854 


t = 


24: 


88FB5867 


8FBAA5B9 


66B5652E 


7BA1C02F 


CDD20BD7 


t = 


25: 


EEC50521 


88FB5867 


63EEA96E 


66B5652E 


7BA1C02F 


t = 


26: 


50BCE434 


EEC50521 


E23ED619 


63EEA96E 


66B5652E 


t = 


27: 


5C416DAF 


50BCE434 


7BB14148 


E23ED619 


63EEA96E 


t = 


28: 


2429BE5F 


5C416DAF 


142F390D 


7BB14148 


E23ED619 


t = 


29: 


0A2FB108 


2429BE5F 


D7105B6B 


142F390D 


7BB14148 


t = 


30: 


17986223 


0A2FB108 


C90A6F97 


D7105B6B 


142F390D 


t = 


31: 


8A4AF384 


17986223 


028BEC42 


C90A6F97 


D7105B6B 


t = 


32: 


6B629993 


8A4AF384 


C5E61888 


028BEC42 


C90A6F97 


t = 


33: 


F15F04F3 


6B629993 


2292BCE1 


C5E61888 


028BEC42 


t = 


34: 


295CC25B 


F15F04F3 


DAD8A664 


2292BCE1 


C5E61888 


t = 


35: 


696DA404 


295CC25B 


FC57C13C 


DAD8A664 


2292BCE1 


t = 


36: 


CEF5AE12 


696DA404 


CA573096 


FC57C13C 


DAD8A664 


t = 


37 : 


87D5B80C 


CEF5AE12 


1A5B6901 


CA573096 


FC57C13C 


t = 


38: 


84E2A5F2 


87D5B80C 


B3BD6B84 


1A5B6901 


CA573096 


t = 


39: 


03BB6310 


84E2A5F2 


21F56E03 


B3BD6B84 


1A5B6901 


t = 


40: 


C2D8F75F 


03BB6310 


A138A97C 


21F56E03 


B3BD6B84 


t = 


41: 


BFB25768 


C2D8F75F 


00EED8C4 


A138A97C 


21F56E03 


t = 


42 : 


28589152 


BFB25768 


F0B63DD7 


00EED8C4 


A138A97C 


t = 


43 : 


EC1D3D61 


28589152 


2FEC95DA 


F0B63DD7 


00EED8C4 


t = 


44: 


3CAED7AF 


EC1D3D61 


8A162454 


2FEC95DA 


F0B63DD7 


t = 


45: 


C3D033EA 


3CAED7AF 


7B074F58 


8A162454 


2FEC95DA 


t = 


46: 


7316056A 


C3D033EA 


CF2BB5EB 


7B074F58 


8A162454 


t = 


47: 


46F93B68 


7316056A 


BOF40CFA 


CF2BB5EB 


7B074F58 


t = 


48: 


DC8E7F26 


46F93B68 


9CC5815A 


B0F40CFA 


CF2BB5EB 


t = 


49: 


850D411C 


DC8E7F26 


11BE4EDA 


9CC5815A 


B0F40CFA 


t = 


50: 


7E4672C0 


850D411C 


B7239FC9 


11BE4EDA 


9CC5815A 


t = 


51: 


89FBD41D 


7E4672C0 


21435047 


B7239FC9 


11BE4EDA 


t = 


52 : 


1797E228 


89FBD41D 


1F919CB0 


21435047 


B7239FC9 


t = 


53 : 


431D65BC 


1797E228 


627EF507 


1F919CB0 


21435047 


t = 


54 : 


2BDBB8CB 


431D65BC 


05E5F88A 


627EF507 


1F919CB0 


t = 


55: 


6DA72E7F 


2BDBB8CB 


10C7596F 


05E5F88A 


627EF507 
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1 












L. 




56 


A8495A9B 


6DA7 2E7F 


CAF6EE32 


10C7596F 


05E5F88A 


U 




57 


E785655A 


A8495A9B 


DB69CB9F 


CAF6EE32 


10C7596F 


t- 

L. 




58 


5B086C42 


E785655A 


EA1256A6 


DB69CB9F 


CAF6EE32 


*- 
U 




59 


A65818F7 


5B086C42 


B9E15956 


EA1256A6 


DB69CB9F 






60 


7AAB101B 


A65818F7 


96C21B10 


B9E15956 


EA1256A6 


t- 




61 


93614C9C 


7AAB101B 


E996063D 


96C21B10 


B9E15956 






62 


F66D9BF4 


93614C9C 


DEAAC406 


E996063D 


96C21B10 


t- 

\- 




63 


D504902B 


F66D9BF4 


24D85327 


DEAAC406 


E996063D 






64 


60A9DA62 


D504902B 


3D9B66FD 


24D85327 


DEAAC406 






65 


8B687819 


60A9DA62 


F541240A 


3D9B66FD 


24D85327 






66 


083E90C3 


8B687819 

v V/ V r W -1* *^ 


982A7698 

X*J U 4* / XS ,</ U 


F541240A 


3D9B66FD 






67 


F6226BBF 


083E90C3 


62DA1E06 


982A7698 


F541240A 






68 


76C0563B 


F6226BBF 


C2 0FA430 


62DA1E06 


982A7698 


u 




69 


989DD165 


76C0563B 


FD889AEF 


C20FA430 


6 2 DAI EO 6 






70 


8B2C7573 


989DD165 


DDB0158E 


FD889AEF 


C20FA430 






71 


AE1B8E7B 


8B2C7573 


66277459 


DDBO 158E 


FD889AEF 






72 


CA1840DE 


AE1B8E7B 


E2CB1D5C 


66277459 


DDB0158E 






73 


16F3BABB 


CA1840DE 


EB86E39E 


E2CB1D5C 


66277459 






74 


D28D83AD 


16F3BABB 


B2861037 


EB86E3 9E 


E2CB1D5C 






75 


6BC02DFE 


D28D83AD 


C5BCEEAE 


B2861037 


EB86E39E 


t 




76 


D3A6E275 


6BC02DFE 


74A3 60EB 


C5BCEEAE 


B2861037 


t 




77 


DA955482 


D3A6E275 


9AF00B7F 


74A3 60EB 


C5BCEEAE 






78 


58C0AAC0 


DA955482 


74E9B89D 


9AF00B7F 


74A360EB 


t 




79 


906FD62C 


58C0AAC0 


B6A55520 


74E9B89D 


9AF00B7F 



Block 2 has been processed. The values of {H ( } are 

Ho = F4286818 + 906FD62C = 84983E44 
H, = C37B27AE + 58C0AAC0 = 1C3BD26E 
H, = 0408F581 + B6A55520 = BAAE4AA1 
H 3 = 84677148 + 74E9B89D = F95129E5 
H 4 = 4A566572 + 9AF00B7F = E54670F1. 

Message digest = 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 
APPENDIX C. A THIRD SAMPLE MESSAGE AND ITS MESSAGE DIGEST 



This appendix is for informational purposes only and is not required to meet the standard. 

Let the message be the binary-coded form of the ASCII string which consists of 1,000,000 repetitions 
of "a". 

Message digest = 34AA973C D4C4DAA4 F61EEB2B DBAD2731 65340 16F 



The Foreword, Abstract, and Key Words follow: 

FTPS PUB 180-1 

FEDERAL INFORMATION 

PROCESSING STANDARDS PUBLICATION 

1995 April 17 



in q nam 



U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology 

SECURE HASH STANDARD 

U.S. DEPARTMENT OF COMMERCE, Ronald H. Brown, Secretary 
National Institute of Standards and Technology, Arati Prabhakar, Director 

Foreword 

The Federal Information Processing Standards Publication Series of the National Institute of 
Standards and Technology (NIST) is the official publication relating to standards and guidelines 
adopted and promulgated under the provisions of Section 1 1 1(d) of the Federal Property and 
Administrative Services Act of 1949 as amended by the Computer Security Act of 1987, Public Law 
100-235. These mandates have given the Secretary of Commerce and NIST important responsibilities 
for improving the utilization and management of computers and related telecommunications systems 
in the Federal Government. The NIST, through its Computer Systems Laboratory, provides 
leadership, technical guidance, and coordination of Government efforts in the development of 
standards and guidelines in these areas. 

Comments concerning Federal Information Processing Standards Publications are welcomed and 
should be addressed to the Director, Computer Systems Laboratory, National Institute of Standards 
and Technology, Gaithersburg, MD 20899. 

James H. Burrows, Director 
Computer Systems Laboratory 

Abstract 

This standard specifies a Secure Hash Algorithm (SHA-1) which can be used to generate a condensed 
representation of a message called a message digest. The SHA-1 is required for use with the Digital 
Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS) and whenever a 
secure hash algorithm is required for Federal applications. The SHA-1 is used by both the transmitter 
and intended receiver of a message in computing and verifying a digital signature. 

Key words: computer security; digital signatures; Federal Information Processing Standard (FEPS); 
hash algorithm. 



Go Back to the Top. 



Return to the FIPS 
Home Page 



Kttr%* / Iwiwtwi itt rtict ctr\\ t /fi nrni tKo tft rs 1 QCi I l-itrrt 



Internet RFC/STD/FYI/BCP Archives 




RFC1321 



[ Index | Search | What's New | Comments [ Help ] 



Network Working Group 
Request for Comments: 1321 



R. Rivest 

MIT Laboratory for Computer Science 
and RSA Data Security, Inc. 

April 1992 



The MD5 Message-Digest Algorithm 



Status of this Memo 

This memo provides information for the Internet community. It does 
not specify an Internet standard. Distribution of this memo is 
unlimited. 

Acknowlegements 

We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle, 
David Chaum, and Noam Nisan for numerous helpful comments and 
suggestions . 

Table of Contents 

1. Executive Summary 1 

2. Terminology and Notation 2 

3. MD5 Algorithm Description 3 

4 . Summary 6 

5. Differences Between MD4 and MD5 6 
References 7 
APPENDIX A - Reference Implementation 7 
Security Considerations 21 
Author's Address 21 

1. Executive Summary 

This document describes the MD5 message-digest algorithm. The 
algorithm takes as input a message of arbitrary length and produces 
as output a 128-bit "fingerprint" or "message digest" of the input. 
It is conjectured that it is computationally infeasible to produce 
two messages having the same message digest, or to produce any 
message having a given prespecified target message digest. The MD5 
algorithm is intended for digital signature applications, where a 
large file must be "compressed" in a secure manner before being 
encrypted with a private (secret) key under a public-key cryptosystem 
such as RSA. 

The MD5 algorithm is designed to be quite fast on 32-bit machines. In 
addition, the MD5 algorithm does not require any large substitution 
tables; the algorithm can be coded quite compactly. 



The MD5 algorithm is an extension of the MD4 message-digest algorithm 
1,2]. MD5 is slightly slower than MD4 , but is more "conservative" in 
design. MD5 was designed because it was felt that MD4 was perhaps 
being adopted for use more quickly than justified by the existing 
critical review; because MD4 was designed to be exceptionally fast, 
it is "at the edge" in terms of risking successful cryptanalytic 
attack. MD5 backs off a bit, giving up a little in speed for a much 
greater likelihood of ultimate security. It incorporates some 
suggestions made by various reviewers, and contains additional 
optimizations. The MD5 algorithm is being placed in the public domain 
for review and possible adoption as a standard. 

For OSI-based applications, MD5 ' s object identifier is 

md5 OBJECT IDENTIFIER ::= 

iso(l) member -body (2) US<840) rsadsi ( 113 549 ) digestAlgori thm ( 2 ) 5} 

In the X.509 type Algorithmldentif ier [3], the parameters. for MD5 
should have type NULL. 

2. Terminology and Notation 

In this document a "word" is a 3 2 -bit quantity and a "byte" is an 
eight-bit quantity. A sequence of bits can be interpreted in a 
natural manner as a sequence of bytes, where each consecutive group 
of eight bits is interpreted as a byte with the high-order (most 
significant) bit of each byte listed first. Similarly, a sequence of 
bytes can be interpreted as a sequence of 32 -bit words, where each 
consecutive group of four bytes is interpreted as a word with the 
low-order (least significant) byte given first. 

Let x_i denote "x sub i" . If the subscript is an expression, we 
surround it in braces, as in x_{i+l}. Similarly, we use A for 
superscripts (exponentiation) , so that x"i denotes x to the i-th 
power . 

Let the symbol "+" denote addition of words (i.e., modulo-2 A 32 
addition) . Let X <<< s denote the 32-bit value obtained by circularly 
shifting (rotating) X left by s bit positions. Let not(X) denote the 
bit-wise complement of X, and let X v Y denote the bit-wise OR of X 
and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY 
denote the bit-wise AND of X and Y. 

3. MD5 Algorithm Description 

We begin by supposing that we have a b-bit message as input, and that 
we wish to find its message digest. Here b is an arbitrary 
nonnegative integer; b may be zero, it need not be a multiple of 
eight, and it may be arbitrarily large. We imagine the bits of the 
message written down as follows: 

m_0 m_l . . . m_{b-l } 

The following five steps are performed to compute the message digest 
of the message. 

3.1 Step 1. Append Padding Bits 

The message is "padded" (extended) so that its length (in bits) is 
congruent to 448, modulo 512. That is, the message is extended so 
that it is just 64 bits shy of being a multiple of 512 bits long. 
Padding is always performed, even if the length of the message is 
already congruent to 448, modulo 512. 
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Padding is performed as follows: a single "1" bit is appended to the 
message, and then "0" bits are appended so that the length in bits of 
the padded message becomes congruent to 448, modulo 512. In all, at 
least one bit and at most 512 bits are appended. 

3 . 2 Step 2 . Append Length 

A 64-bit representation of b {the length of the message before the 
padding bits were added) is appended to the result of the previous 
step. In the unlikely event that b is greater than 2^64 , then only 
the low-order 64 bits of b are used. (These bits are appended as two 
32 -bit words and appended low-order word first in accordance with the 
previous conventions.) 

At this point the resulting message {after padding with bits and with 
b) has a length that is an exact multiple of 512 bits. Equivalently , 
this message has a length that is an exact multiple of 16 (32-bit) 
words. Let M[0 ... N-l] denote the words of the resulting message, 
where N is a multiple of 16. 

3.3 Step 3. Initialize MD Buffer 

A four-word buffer (A,B,C,D) is used to compute the message digest. 
Here each of A, B, C, D is a 32-bit register. These registers are 
initialized to the following values in hexadecimal, low-order bytes 
first) : 

word A: 01 23 45 67 
word B: 89 ab cd ef 
word C: fe dc ba 98 
word D: 76 54 32 10 

3.4 Step 4. Process Message in 16-Word Blocks 

We first define four auxiliary functions that each take as input 
three 32 -bit words and produce as output one 32-bit word. 

F(X,Y,Z) = XY v not(X) Z 

G(X,Y,Z) = XZ v Y not{Z) 

H(X,Y,Z) = X xor Y xor Z 

I(X,Y,Z) = Y xor (X v not(Z)) 

In each bit position F acts as a conditional: if X then Y else Z. 
The function F could have been defined using + instead of v since XY 
and not(X)Z will never have l's in the same bit position.) It is 
interesting to note that if the bits of X, Y, and Z are independent 
and unbiased, the each bit of F(X,Y,Z) will be independent and 
unbiased. 

The functions G, H, and I are similar to the function F, in that they 
act in "bitwise parallel" to produce their output from the bits of X, 
Y, and Z, in such a manner that if the corresponding bits of X, Y, 
and Z are independent and unbiased, then each bit of G(X,Y,Z), 
H(X,Y,Z), and I{X,Y,Z) will be independent and unbiased. Note that 
the function H is the bit-wise "xor" or "parity" function of its 
inputs . 

This step uses a 64-element table T[l ... 64] constructed from the 
sine function. Let T[i] denote the i-th element of the table, which 
is equal to the integer part of 4294967296 times abs(sin{i)), where i 
is in radians. The elements of the table are given in the appendix. 

Do the following: 
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/* Process each 16-word block. */ 
For i = 0 to N/16-1 do 

/* Copy block i into X. */ 
For j = 0 to 15 do 

Set X[j] to M[i*16+j ] . 
end /* of loop on j */ 

/* Save A as AA, B as BB, C as CC, and D as DD. */ 
AA = A 
BB = B 

CC = C 
DD = D 



/* Round 1. */ 

/* Let [abed k s i] denote the operation 

a = b + (<a + F(b,c,d) + X[k] + T[i]) 
/* Do the following 16 operations. */ 
[ABCD 0 7 1] [DABC 1 12 2] 
[ABCD 4 7 5] [DABC 5 12 6] 
[ABCD 8 7 9] [DABC 9 12 10] 
[ABCD 12 7 13] [DABC 13 12 14] 



<<< s) 



[CDAB 2 17 3] 

[CDAB 6 17 7] 

[CDAB 10 17 11] 

[CDAB 14 17 15] 



[BCDA 3 22 4] 

[ BCDA 7 22 8] 

[BCDA 11 22 12] 

[BCDA 15 22 16] 



/* Round 2. */ 

/* Let [abed k s i] denote the operation 

a = b + ((a + G(b,c,d) + X[k] + T[i]) 



/* Do the following 16 operations. 
[ABCD 1 5 17] [DABC 6. 9 18] 

[ABCD 5 5 21] [DABC 10 9 22] 

[ABCD 9 5 25] [DABC 14 9 26] 
[ABCD 13 5 29] [DABC 2 9 30] 



7 



<<< s ) 



[CDAB 11 14 19] 

[CDAB 15 14 23] 

[CDAB 3 14 27] 

[CDAB 7 14 31] 



/* Round 3. */ 

/* Let [abed k s t] denote the operation 

a = b + ((a + H(b,c,d) + X[k] + T[i]) 
/* Do the following 16 operations. */ 
[ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 
[ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 
[ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 



<<< s) . 



*/ 

[BCDA 0 20 20] 

[BCDA 4 20 24] 

[BCDA 8 20 28] 

[BCDA 12 20 32] 



16 35] [BCDA 14 23 36] 

16 39] [BCDA 10 23 40] 

16 43] [B CDA 6 23 44] 

[ABCD 9 4 45] [DABC 12 "11 46] [CDAB 15 16 47] [BCDA 2 23 '48] 



/* Round 4. */ 

/* Let [abed k s t] denote the operation 

a = b + ((a + Kb,c,d) + X[k] + T[i]) «< s) 
/* Do the following 16 operations. */ 
[ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] 
[ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] 
[ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] 



[BCDA 5 21 
[BCDA 1 21 
[BCDA 13 21 



52] 
56] 
60] 



[ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64] 

/* Then perform the following additions. (That is increment each 
of the four registers by the value it had before this block 
was started.) */ 

A = A + AA 

B = B + BB 

C = C + CC 

D = D + DD 

end /* of loop on i */ 
3.5 Step 5. Output 

The message digest produced as output is A, B, C, D. That is, we 
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begin with the low-order byte of A, and end with the high-order byte 
of D. 

This completes the description of MD5 . A reference implementation in 
C is given in the appendix. 

4 . Summary 

The MD5 message-digest algorithm is simple to implement, and provides 
a "fingerprint" or message digest of a message of arbitrary length. 
It is conjectured that the difficulty of coming up with two messages 
having the same message digest is on the order of 2^64 operations, 
and that the difficulty of coming up with any message having a given 
message digest is on the order of 2 A 128 operations. The MD5 algorithm 
has been carefully scrutinized for weaknesses. It is, however, a 
relatively new algorithm and further security analysis is of course 
justified, as is the case with any new proposal of this sort. 

5. Differences Between MD4 and MD5 

The following are the differences between MD4 and MD5 : 

1. A fourth round has been added. 

2. Each step now has a unique additive constant. 

3. The function g in round 2 was changed from (XY v XZ v Y2) to 
(XZ v Y not(Z)) to make g less symmetric. 

4. Each step now adds in the result of the previous step. This 
promotes a faster "avalanche effect". 

5 . The order in which input words are accessed in rounds 2 and 
3 is changed, to make these patterns less like each other. 

6. The shift amounts in each round have been approximately 
optimized, to yield a faster "avalanche effect." The shifts in 
different rounds are distinct. 
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APPENDIX A - Reference Implementation 

This appendix contains the following files taken from RSAREF: A 
Cryptographic Toolkit for Privacy-Enhanced Mail: 

global. h -- global header file 

mdS.h -- header file for MD5 

mdSc.c -- source code for MD5 

For more information on RSAREF, send email to < rsaref@rsa.com > . 
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The appendix also includes the following file: 

mddriver.c -- test driver for MD2 , MD4 and MD5 

The driver compiles for MD5 by default but can compile for MD2 or MD4 
if the symbol MD is defined on the C compiler command line as 2 or 4 . 

The implementation is portable and should work on many different 
plaforms. However, it is not difficult to optimize the implementation 
on particular platforms, an exercise left to the reader. For example, 
on "little-endian" platforms where the lowest-addressed byte in a 32- 
bit word is the least significant and there are no alignment 
restrictions, the call to Decode in MDSTransform can be replaced with 
a typecast. 

A.l global. h 

/* GLOBAL. H - RSAREF types and constants 
*/ 

/* PROTOTYPES should be set to one if and only if the compiler supports 
function argument prototyping. 
. The following makes PROTOTYPES default to 0 if it has not already 

been defined with C compiler flags. 
*/ 

#ifndef PROTOTYPES 
#define PROTOTYPES 0 
#endif 

/* POINTER defines a generic pointer type */ 
typedef unsigned char *POINTER; 

/* UINT2 defines a two byte word */ 
typedef unsigned short int UINT2 ; 

/* UINT4 defines a four byte word */ 
typedef unsigned long int UINT4 ; 

/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. 
If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it 
returns an empty list. 
*/ 

#if PROTOTYPES 

#define PROTO_LIST ( list ) list 
#else 

#define PROTO_LIST ( list ) () 
#endif 

A. 2 mdS.h 

/* MD5.H - header file for MD5C.C 
*/ 

/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All 
rights reserved. 

License to copy and use this software is granted provided that it 
is identified as the "RSA Data Security, Inc. MD5 Message-Digest 
Algorithm" in all material mentioning or referencing this software 
or this function. 

License is also granted to make and use derivative works provided 
that such works are identified as "derived from the RSA Data 
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Security, Inc. MD5 Message-Digest Algorithm" in all material 
mentioning or referencing the derived work. 

RSA Data Security, Inc. makes no representations concerning either 
the merchantability of this software or the suitability of this 
software for any particular purpose. It is provided "as is" 
without express or implied warranty of any kind. 

These notices must be retained in any copies of any part of this 
documentation and/or software. 
*/ 

/* MD5 context. */ 
typedef struct { 

UINT4 state[4]; /* state { ABCD) */ 

UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ 

unsigned char buffer[64]; /* input buffer */ 

} MD5_CTX; 

void MDSInit PROTO_LIST ( (MD5_CTX *)>; 
void MD 5 Update PROTO_LIST 

< (MD5_CTX *, unsigned char *, unsigned int) ) ; 
void MDSFinal PROTO_LIST {(unsigned char [16], MD5_CTX *)); 

A. 3 mdSc.c 

/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm 
*/ 

/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All 
rights reserved. 

License to copy and use this software is granted provided that it 
is identified as the "RSA Data Security, Inc. MD5 Message-Digest 
Algorithm" in all material mentioning or referencing this software 
or this function. 

License is also granted to make and use derivative works provided 
that such works are identified as "derived from the RSA Data 
Security, Inc. MD5 Message-Digest Algorithm" in all material 
mentioning or referencing the derived work. 

RSA Data Security, Inc. makes no representations concerning either 
the merchantability of this software or the suitability of this 
software for any particular purpose. It is provided "as is" 
without express or implied warranty of any kind. 

These notices must be retained in any copies of any part of this 
documentation and/or software. . 
*/ 

#include "global. h" 
#include "md5 .h" 

/* Constants for MDSTransform routine. 
*/ 

#define Sll 7 
#define S12 12 
#define S13 17 
#define S14 22 
#define S21 5 
#define S22 9 
#define S23 14 
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#def ine 


S24 


20 


#def ine 


S31 


4 


#def ine 


S32 


11 


#def ine 


S33 


16 


#def ine 


S34 


23 


#def ine 


S41 


6 


#def ine 


S42 


10 


#def ine 


S43 


15 


#def ine 


S44 


21 



static void MDSTransf orm PROTO_LIST ( (UINT4 [4], unsigned char [64])) 
static void Encode PROTO_LIST 

({unsigned char *, UINT4 *, unsigned int)); 
static void Decode PROTO_LIST 

( (UINT4 *, unsigned char *, unsigned int)); 
static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); 
static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); 

static unsigned char PADDING [64] = { 

0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 

}; 

/* F, G, H and I are basic MD5 functions. 
*/ 

#define F<x, y, z) ( ( (x) & (y) ) | {{-x) & (z))) 
#define G(x, y, z) (<{x) & (z) ) j ( (y) & (~z))) 
#define H(x, y, z) ( (x) * (y) A (z)) 
#define I(x, y, z) ( (y) A ( (x) | (~z))) 

/* ROTATE_LEFT rotates x left n bits. 
*/ 

#def ine ROTATE_LEFT (x, n) ( ( (x) « (n) ) | ( (x) » (32-(n)))) 

/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. 
Rotation is separate from addition to prevent recomputation . 
*/ 

#define FF {a , b, c, d, x, s, ac) { \ 
(a) += F ((b), (c), (d) ) + (x) + (UINT4)(ac); \ 
(a) = ROTATE_LEFT ((a), (s)); \ 

(a) += (b); \ 
} 

#define GG (a, b, c, d, x, s, ac) { \ 
(a) += G ((b), (c), (d) ) + (x) + (UINT4) (ac) ; \ 
(a) = ROTATE_LEFT ((a), (s)); \ 
(a) += (b) ; \ 
} 

#define HH (a , b, c, d, x, s, ac) { \ 
(a) += H {(b), <c), (d)) + (x) + (UINT4)(ac); \ 
(a) = ROTATE_LEFT ((a), (s) ) ; \ 
(a) += (b); \ 
} 

#define II(a, b, c, d, x, s, ac) { \ 
(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ 
(a) = ROTATE_LEFT ((a), (s)); \ 
(a) += (b) ; \ 
} 

/* MD5 initialization. Begins an MD5 operation, writing a new context 
*/ 

void MD5Init (context) 

MD5_CTX 'context; /* context * 
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{ 

context->count [0] = context->count [ 1 ] = 0; 
/* Load magic initialization constants. 

*/ 

context->state[0] = 0x67452301, 
context->state[l] = 0xefcdab89, 
context->state[2] = 0x98badcfe; 
context->state[3] = 0x10325476; 
} 

/* MD5 block update operation. Continues an MD5 message-digest 
operation, processing another message block, and updating the 
context . 
*/ 

void MD5Update (context, input, inputLen) 

MD5_CTX *context; '/* context */ 

unsigned char * input; /* input block */ 

unsigned int inputLen; /* length of input block */ 

{ 

unsigned int i, index, partLen; 

/* Compute number of bytes mod 64 */ 

index = {unsigned int ) ( (context->count [ 0 ] >> 3) & 0x3F) ; 
/* Update number of bits */ 

if ( (context->count [0] + = ( (UINT4 ) inputLen << 3)) 

< ( (UINT4) inputLen « 3)) 
context->count [ 1 ] ++ ; 
context->count [1] += ( (UINT4 ) inputLen >> 29); 

partLen = 64 - index; 

/* Transform as many times as possible. 

*/ 

if (inputLen >= partLen) { 
MD5_memcpy 

( (POINTER) &context->buf fer [ index] , ( POINTER) input , partLen) ; 
MDSTransform (context->state, context->buf f er ) ; 

for (i = partLen; i + 63 < inputLen; i += 64) 
MDSTransform ( context->state , &input[i]); 

index = 0; 
} 

else 
i = 0; 

/* Buffer remaining input */ 
MD5_memcpy 

( ( POINTER) &context->buf f er [ index] , { POINTER) & input [ i ] , 
inputLen- i) ; 

} 

/* MD5 f inalization . Ends an MD5 message-digest operation, writing the 
the message digest and zeroizing the context. 
*/ 

void MD5Final (digest, context) 

unsigned char digest [16]; /* message digest */ 

MD5_CTX *context; /* context */ 

{ 

unsigned char bits[8]; 
unsigned int index, padLen; 
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/* Save number of bits */ 

Encode (bits, context->count , 8); 

/* Pad out to 56 mod 64. 

*/ 

index = {unsigned int ) { ( context->count [ 0 ] >> 3) & 0x3f); 
padLen = (index < 56) ? (56 - index) : (120 - index); 
MD5Update (context, PADDING, padLen); 

/* Append length (before padding) */ 
MDSUpdate (context, bits, 8) ; 

/* Store state in digest */ 

Encode (digest, context->state, 16); 

/* Zeroize sensitive information. 

*/ 

MD5_memset {( POINTER) context , 0, sizeof (*context)); 

} 

/* MD5 basic transformation. Transforms state based on block. 
*/ 

static void MDSTransform (state, block) 
UINT4 state [4] ; 
unsigned char block [64] ; 
{ 

UINT4 a = state[0], b = state[l], c = state[2], d = state[3], x[16]; 
Decode (x, block, 64) ; 
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state[0] + = a; 
stated] += b; 
state[2] += c; 
state[3] += d; 

/* Zeroize sensitive information. 



*/ 

MD5_memset ((POINTER)x, 0, sizeof (x) ) ; 

} 

/* Encodes input (UINT4) into output (unsigned char) . Assumes len is 
a multiple of 4. 
*/ 

static void Encode (output, input, len) 

unsigned char * output; 

UINT4 * input; 

unsigned int len; 

{ 

unsigned int i, j; 

for (i = 0, j = 0; j < len; i + + , j += 4) { 
output [j] = (unsigned char )( input [ i ] & Oxff); 
output [j+1] = (unsigned char )({ input [ i ] » 8) & Oxff); 
output [j+2] = (unsigned char )(( input [ i ] >> 16) & Oxff); 



output [ j+3 ] = (unsigned char )(( input [ i ] >> 24) & Oxff ) ; 
} 

} 

/* Decodes input (unsigned char) into output (UINT4) . Assumes len is 
a multiple of 4. 
*/ 

static void Decode (output, input, len) 

UINT4 'output; 

unsigned char * input; 

unsigned int len; 

{ 

unsigned int i, j ; 

for (i=0, j=0;j< len; i++, j += 4) 
output [i] = ( (UINT4) input [j] ) | ({ (UINT4 ) input [j+1] ) « 8) | 
( { (UINT4) input [ j+2] ) « 16) | ( ( (UINT4 ) input [ j +3 ] ) « 24); 

} 

/* Note: Replace "for loop" with standard memcpy if possible. 
*/ 

static void MD5_memcpy (output, input, len) 

POINTER output; 

POINTER input; 

unsigned int len; 

{ 

unsigned int i; 
for (i = 0; i < len; i++) 
output [ i ] = input [ i ] ; 

} 

/* Note: Replace "for loop" with standard memset if possible. 
*/ 

static void MD5_memset (output, value, len) 

POINTER output; 

int value; 

unsigned int len; 

{ 

unsigned int i; 

for (i = 0; i < len; i++) 
((char *) output )[i] = ( char) value; 

} 

A. 4 mddriver.c 

/* MDDRIVER.C - test driver for MD2 , MD4 and MD5 
*/ 

/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All 
rights reserved. 

RSA Data Security, Inc. makes no representations concerning either 
the merchantability of this software or the suitability of this 
software for any particular purpose. It is provided "as is" 
without express or implied warranty of any kind. 

These notices must be retained in any copies of any part of this 
documentation and/or software. 
*/ 
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/* The following makes MD default to MD5 if it has not already been 
defined with C compiler flags. 
*/ 

#ifndef MD 
#define MD MD5 
#endif 

#include <stdio.h> 

#include <time.h> 

#include <string.h> 

# include "global .h" 

#if MD == 2 

# include ft md2 .h" 

#endif 

#if MD == 4 

# include "md4 .h n 

#endif 

#if MD == 5 

# include "mdS.h" 

#endif 

/* Length of test block, number of test blocks. 
*/ 

#define TEST_BLOCK_LEN 1000 
#define TEST_BLOCK_COUNT 1000 

static void MDString PROTO_LIST ((char *)); 

static void MDTimeTrial PROT0_LIST ( (void) ) ; 

static void MDTestSuite PROTO__LIST ( (void) ) ; 

static void MDFile PROTO_LIST ((char *)); 

static void MDFilter PROTO_LIST ( (void) ) ; 

static void MDPrint PROTO_LIST {(unsigned char [16])); 

#if MD == 2 

#define MD_CTX MD2_CTX 

#define MDInit MD2Init 

#define MDUpdate MD2Update 

#define MDFinal MD2Final 

#endif 

#if MD == 4 

# define MD_CTX MD4_CTX 

#define MDInit MD4Init 

#define MDUpdate MD4Update 

#define MDFinal MD4Final 

#endif 

#if MD = = 5 

# define MD_CTX MD5_CTX 
#define MDInit MDSlnit 
#define MDUpdate MDSUpdate 
#define MDFinal MDSFinal 
#endif 

/* Main driver. 

Arguments (may be any combination) : 
-sstring - digests string 
-t - runs time trial 

-x - runs test script 

filename - digests file 
(none) - digests standard input 
*/ 

int main (argc, argv) 
int argc; 
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char *argv[ ] ; 
{ 

int i ; 

if (argc > 1) 
for (i = 1; i < argc; i + +) 

if (argvfi] [0] == &&argv[i][l] == 's') 

MDString (argv[i] + 2); 
else if (strcmp (argv[i], "-t") == 0) 

MDTimeTrial ( ) ; 
else if {strcmp <argv[i] , !, -x") == 0) 

MDTestSuite ( ) ; 
else 

MDFile (argv[i] ) ; 
else 
MDFilter (); 

return (0) ; 

} 

/* Digests a string and prints the result. 
*/ 

static void MDString (string) 

char *string; 

{ 

MD_CTX contexts- 
unsigned char digest[16]; 
unsigned int len = strlen (string); 

MDInit (^context) ; 

MDUpdate (^context, string, len) ; 

MDFinal (digest, ^context) ; 

print f ("MD%d (\"%s\ M ) = MD, string); 
MDPrint (digest) ; 
print f ( "\n M ) ; 



/* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte 
blocks . 
*/ 

static void MDTimeTrial {) 
{ 

MD_CTX context- 
time^ endTime, startTime; 

unsigned char block [TEST_BLOCK_LEN] , digest [16] ; 
unsigned int i; 

print f 

( "MD%d time trial. Digesting %d %d-byte blocks . MD, 
TEST_BLOCK_LEN, TEST_BLOCK_COUNT) ; 

/* Initialize block */ 
for (i = 0; i < TEST_BLOCK_LEN; i++) 
block[i] = (unsigned char) (i & Oxff ) ; 

/* Start timer */ 
time (&startTime) ; 

/* Digest blocks */ 
MDInit (^context) ; 

for (i = 0; i < TEST_BLOCK_COUNT; i++) 
MDUpdate (^context, block, TEST_BLOCK_LEN) ; 



MDFinal (digest, ^context) ; 



/* Stop timer */ 
time t&endTime) ; 

printf ( " done\n" ) ; 
printf ("Digest = "); 
MDPrint (digest); 

printf ("\nTime = %ld seconds\n" , ( long) ( endTime-startTime ) ) ; 
printf 

("Speed = %ld bytes / second\n " , 
( long) TEST_BLOCK_LEN * ( long) TEST_BLOCK_C0UNT/ (endTime-startTime) ) 



/* Digests a reference suite of strings and prints the results. 
*/ 

static void MDTestSuite () 
{ 

printf { *' MD%d test suite :\n M , MD) ; 

MDString ( " " ) ; 

MDString ("a"); 

MDString ( "abc" ) ; 

MDString ( "message digest" ) ; 

MDString ( "abcdef ghi j klmnopqrstuvwxyz " ) ; 

MDString 

( " ABCDEFGHIJKLMNOPQRSTUVWXYZabcde f ghi j klmnopqr s t uvwxy z 0123456789"); 
MDString 

<"1234567890123456789012345678901234567890\ 
1234567890123456789012345678901234567890" ) ; 



/* Digests a file and prints the result. 
*/ 

static void MDFile (filename) 

char * filename; 

{ 

FILE *file; 
MD_CTX context; 
int len; 

unsigned char buf f er [ 1024 ] , digest [16]; 

if ((file = fopen (filename, "rb")) == NULL) 
printf ("%s can't be opened \ n" , filename); 

else { 
MDInit (^context) ; 

while (len = fread (buffer, 1, 1024, file)) 

MDUpdate (^context, buffer, len); 
MDFinal (digest, &context) ; 

f close (file) ; 

printf ( n MD%d (%s) = ", MD, filename); 
MDPrint (digest); 
printf ("\n"); 
} 

) 

/* Digests the standard input and prints the result. 
*/ 

static void MDFilter () 
{ 
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MD_CTX context; 
int len; 

unsigned char buffer [16], digest [16]; 
MDInit (^context) ; 

while (len = fread (buffer, 1, 16, stdin) ) 
MDUpdate (^context, buffer, len) ; 
MDFinal (digest, ^context) ; 

MDPrint (digest) ; 
printf ("\n"); 

} 

/* Prints a message digest in hexadecimal. 
*/ 

static void MDPrint (digest) 
unsigned char digest[16]; 
{ 

unsigned int i; 

for (i =0; i < 16; i++) 
printf ("%02x n , digest [i]); 

} 

A. 5 Test suite 

The MD5 test suite (driver option " -x" ) should print the following 
results : 

MD5 test suite: 

MD5 ("") = d41d8cd98f 00b204e9800998ecf 8427e 

MD5 ("a") = 0ccl75b9c0flb6a831c399e269772661 

MD5 ("abc" ) = 900150983cd24f b0d6963f 7d28el7f 72 

MD5 ("message digest") = f 96b697d7cb7938d525a2f 31aaf 161d0 

MD5 ( "abcdefghijklmnopqrstuvwxyz" ) = c3f cd3d76192e4007df b496cca67el3b 

MD5 ( " ABCDEFGHI JKLMNOPQRSTUVWXYZabcde f ghi j klmnopqr s tuvwxy z 0123456789" ) = 

dl74ab98d277d9f 5a5611c2c9 f 419d9f 

MD5 ( "123456789012345678901234567890123456789 012345678901234567890123456 
78901234567890" ) = 57edf 4a22be3c955ac49da2e2 107b67a 

Security Considerations 

The level of security discussed in this memo is considered to be 
sufficient for implementing very high security hybrid digital- 
signature schemes based on MD5 and a public-key cryptosystem. 
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